AZ-305 Designing Microsoft Azure Infrastructure Solutions Study Cram

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone in this video i want to provide an az305 study cram i want to look at what is the path to actually get to the azure architect solutions expert certification what to expect in the exam and then cover at a high level all of the different knowledge you will actually need so you could watch just before taking it as always please like subscribe comment and share huge amount of work especially this video goes in and hit that bell icon so our focus is all about az305 so that's really that final exam towards that architect certification now this is part of the new path to actually get there and to get the architect sir we need two exams so the az-305 is the second exam but what we do first is the az104 so that is kind of the infrastructure administration exam so those two things together if i've done the azure administrator associate ie az104 and then i take az305 i get that architect certification i already have a full playlist of prep for the az104 and my assumption for this video is you have watched that already you have gone through all of that study there's a lot of videos in there including my master class and brazil then i've got a study cram so i'm assuming you've done all of that so you take the az104 admin then you do additional study more around the architecture components for the az305 and this isn't particularly that much more complex it's not focused on how you do the things it's focused on which components do i need to use your starting point as always which should really be the ms learn so right now it is in beta so if you go to the az305 page it kind of talks through that path that i just talked about i.e hey look take that azure administrator associate cert then pass this 305. you can go and schedule the exam it talks about the key areas the skills measured and then how to prepare so go through this free learning path now i'm going to break this down based on its learning paths so you can kind of refresh notice it finishes with the hey microsoft azure well architected framework there's no rocket science to that it really just builds on some of the key components we think about with architecture but i will frame this study cram in the same way as those learn modules just to help out i do have a playlist for this az305 again it doesn't have the same content as 104. i'm expecting you've done that already these are additional things that maybe go into more detail maybe more architecture related that go to the az305 a key point yes microsoft are changing the path to get to architect but if you have it already this does not apply to you if you have it already you just go through that and you'll renault you don't have to take 305 at all if you've got your architect expert you're done you're just going to do that annual renewal this is only if you don't have it yet now i did sit the az305 just because i was trying to get an understanding of what is the exam like i did not need to take it because i already have the architect cert so again you don't have to take this i took it just so i knew what to expect so i could help create this exam cram and for all of you now i you got two hours to take the exam i had 61 questions now out of those i think i had three case studies each case study at four to five questions now remember a case study typically it's hey the scenario current state and then requirements business technical and that details gonna vary but i did find them quite clear it wasn't like the network certification when they were all intertwined you were jumping about 50 different pages the questions for the case studies really refer to a particular page of the case study so go through the case study first have a quick browse through look for key details then read the question and it's typically going to direct you to a particular page of the case study materials hey app one has these technical requirements how would you meet them and then a list of options so oh okay i need to go and look at one's technical requirements in addition they were just regular questions and now these are just hey there's a list of components which of these would solve that problem maybe it's hey you're using these components how many instances of that component would you need i you need to know its limits and what its boundaries are maybe it's subscription maybe it's region so you need to pay how many do i need of these you did have the ones where it's a problem statement so they give you hey we're trying to solve this then you have to say they give you a solution and you have to say would this meet the requirement or not once you answer you can't go back because they're going to give you that same problem statement again two or three times with different answers and you have to say would this meet it so you obviously a newer one might say oh no that was wrong so you cannot go back for those they're not in order i they don't get better as they go for it might be the yes the correct answer was first then they get worse so just look at the problem statement uh look at hey the solution of offering think all the different scenarios through does this mean it or not multiple ones might meet it maybe none of them meet it um but you can't go back so just think about this it took me 50 minutes now i i rushed through because again i didn't care particularly about the exam but i did answer everything and i thought it was a fairly simple exam there was nothing super complex about it in the end of the day realize there's no trick questions in here and azure as a solution is designed to be usable by the public they're not going to name things in a tricky way they're not going to hide things to try and implement so if ever you're stuck try and eliminate the obviously wrong things and then just think what is the most logical way to solve this if i was going to solve this how would i architect it that's probably going to be the right answer so generally there's a couple of answers you can just eliminate how would i architect this is it cheese definitely not cheese it's not a hot dog oh it's a virtual network okay it's probably a virtual network so you can eliminate probably a couple of obviously wrong things and just go for the one you want so again don't panic with these things it's an exam and i'll do some things at the end but just take your time relax and uh yeah so let's let's get down to the review of the particular areas now if you saw my 104 study cram you know the board started to fail because the new whiteboard app has scale limitations so i'm going to create a new board for each of the key sections but i'll try and bring them all together at the end for one download so what we're thinking about here is the whole kind of designing identity governance and monitoring so we'll look at that first from a review perspective if i think about azure management there are really four key constructs we ever think about now the first thing we have is azure id itself so azure active directory we have a particular tenant that is the identity provider for the environment now in terms of management constructs we have management groups so remember there's always a route management group directly under the azure id tenant but then i can have a hierarchy of these so i can have this whole hierarchy of management groups so we have the whole idea of management groups and then that can be up to six levels deep not including the route or the subscriptions and we can use those for various different things so at management groups i can apply things like policy i.e what you can do i can have things like role based access control who i can have things like budgets how much so i have those things at those constructs ultimately then i get a subscription so i'm going to have some subscription which is really that idea of the logical container in which i can it's a unit of management now i have those same options for the subscription as well for the subscription as well hey i can apply policy role-based access control and budget and all of these things inherit down so if i was to put a policy for example the root or some high level management group it would get inherited down to the child management groups to the subscriptions within the subscription i can create one or more resource groups which again i can apply policy rbac budget and i can have multiple resource groups and a subscription i could have other resource groups i could have lots of resource groups a resource group is not a boundary of communication i could have resources in here using resources in other resource groups so it's not a boundary of any kind of communication when i think about architecting these constructs realize resource groups typically i'm going to put things in together that have a common life cycle they're going to get created together they're going to get deleted together they're going to run together so i think common life cycle typically i'm going to give people the same sets of permissions to all the things in a resource group how many subscriptions do i have it varies realize the subscription is a boundary for certain types of things a virtual network for example lives within a certain subscription i might have a core subscription for core services like my express route connections my domain controllers subscriptions do have limits so maybe i have to have mobile subscriptions because of some limit i'm hitting but i don't want to have too many subscriptions so as part of my design i think about okay what's the the right number based on the various requirements realize resource groups as well i have a lot the same capabilities so if i can hey i'd rather use a resource group when i create a resource group it does get created in a region you pick a region but that region is just where the metadata for that resource group is stored it does not impact the resources i can put in it so if i create a resource group in east u.s i could put resources in west u.s inside that resource group so if i was trying to limit hey where can you create resources putting a policy just on the resource group so only resource groups can get created wouldn't do anything i need to make sure hey i'm limiting all types of resource i could apply at the resource group because it gets inherited down but i wouldn't be targeting where can resource groups get created i'll be targeting where can resources get created so that's how i could limit it to a certain place so resource groups lives in a region that's just its metadata has no impact on what can actually be inside it a resource can be in one and only one resource group i can't nest resource groups it is a flat structure so those are kind of the key constructs we think about we're going to come back to these but really we think about policy is kind of what i can do budget is who can do it budget is really how much so think about those constructs if we see questions like hey we need to control where you can create sync we need to control only this type of something that's going to be a policy and then what level depends on hey what is the scope they're asking you to actually do those things for policy are basically guard rails i can group policies into initiatives and then apply the initiative to one of these scopes subscription management group resource group etc again it gets inherited down um also we do have resource tags so resource tags again is just metadata it's some key value i can assign it can be really useful for example to track maybe certain aspects of my management structure it might be maybe a cost center it might be a creation date i put on things they are not inherited so if i create a tag at the resource group it is not inherited by the resources inside it but we can use policy to accomplish that so if we jump over for a quick second if we go and actually look at policy so actually over here if i just search for policy and again it's really doing two things so policy i can use to enforce to actually control it's the guard rails to say what you can do but i can also use it for compliance checking i can go back and look oh okay based on my initiatives for example um how in line am i with all of these things and so we have the definitions so we have individual policies and here if i search for let's say tag notice i have options here inherit a tag from the resource group as an example here so what this would do is hey if i don't set tags on the individual resource and that's a requirement i have to use azure policy to copy it from the resource group onto the resources and then instead of assigning individual policies i can create initiatives and initiatives group multiple policies together so you can see there's a lot of policies in some of these that makes it easier to assign them and obviously it makes them easier as well to actually track that compliance off because generally i care about multiple policies together are achieving some desired state when i think about the role-based access control so remember we have these different scopes management groups subscriptions resource groups policy can apply to any of those if i think role-based access control this is about the idea if i have some identity so there is some identity remember that's going to be living in my azure ad and i have some scope now again those scopes could be kind of that management group subscription resource group it can be an individual resource that's not saying we commonly do it's very hard from a management perspective and then we have roles now a role is really just a set of defined actions and what we do is we give an identity a certain role at a certain scope so that is a role assignment when we think about these roles they're really divided into kind of the control plane ie arm the azure resource manager but also now we start to see some of them have roles at the data plane so not going through the arm api actually maybe talking to blob storage or queue or maybe sql so there's other types of roles available if we jump over and look just to kind of clarify that an easy thing to look at is a storage account so if i quickly jump over to a storage account it doesn't matter which one if i look at access control so if i look at the roles we can see hey let's say there's a let's just expand these titles out so i can see them i might say okay storage account contributor so if we look at the storage account contributor role notice there's actions and data actions it divides them up so actions there's all these different things it can do so there's a lot of the things here spread on different resource providers it has all these capabilities data actions it has none so this is not a role that would give me any access directly to the data itself using the role but if i go and look at a different type of role well it's like full access to which blob containers so this role is a storage blob data owner it still has some azure resource manager actions but now it also has data actions it can actually do a read blob write blob so this is how i could using azure ad also get access to the underlying data stored in that resource and that's really what we want to try and get to as much as possible that's kind of a key direction for a lot of these different things our back is cumulative so if i had certain role assigned maybe at the management group and then another role at the subscription another role at the resource group i get the sum of those permissions there is no deny assignment outside of something called a blueprint or i can also have a managed application today they are the only places i can do an explicit deny so i start off with no permissions and then i get permissions added to me by the roles that are granted to me now ordinarily those roles are just applied to us all of the time we don't really like that a good architecture practice is about just in time i get the permissions as i need them so a good way to do that is we actually think about privileged identity management so that is basically giving it to me just in time i can go and request hey i need this role maybe i have to go through a strong authentication like mfa then i get it for a duration of time that is an azure ad premium p2 feature so that's about getting something only when i need it another big challenge is well who has roles who is in this group who has access access to this application so another common thing you're going to see is access reviews so access reviews they're very flexible again that is a p2 feature and that is actually part of the identity governance and that does multiple things again it can be about or who has certain roles who is in certain groups who has access to certain applications and i can do that in such a way as i can delegate those checks to certain people or it can even be a self review hey validate you still need this um so that is a very powerful feature in terms of hey what is a good way to check someone so still has access what feature would i use hey well if i'm trying to validate someone still needs this role or group membership or application access hey access reviews well that's part of azure adp2 part of the identity governance so that that's a powerful capability over there in terms of that idea of deploying resources and being able to put down what was access control and policies and creating those resource groups today one of the big technologies you'll actually use is something called an azure blueprint so azure blueprint is this construct that basically consists of artifacts so what one of the artifacts it supports is things like resource groups say hey i want to create a new resource group it also supports arm json templates so that's an infrastructures code way to create resources it supports things like role-based access control so okay in this blueprint i'm going to create a resource group deploy some resources then i want to set these particular permissions it can also apply policy so they are the four key constructs we support in azure blueprints now that gets stored at a certain level i could store that in for example a management group i can store in a subscription and it's then available to anything underneath that level i store it and then what i do is i apply it so if i apply it well then those things i describe those artifacts will be stamped down now that application could be done in different modes there's like a don't lock ie create it but then people could change it if they wanted to they could say hey do not delete so they can't delete the things that the blueprint stamps down but they could modify them or it can get stamped down as read only you can't modify this configuration at all now again these are all at the azure resource manager level if it was a storage account for example i could still perform data operations inside there so it's not going to stop me from actually doing that so that's obviously an important point now okay so those are those kind of key things as i think about those constructs so let's go back now to the azure id now that azure active directory you have most likely what you're actually doing is you are replicating that so today you have an active directory domain services so normally we just call it active directory but it's actually active directory domain or directory services and you replicate that so hey if i have a user in here that user gets replicated and gets created over here as a synchronized user and what the way we do that is azure ad connect there's also an azure ad connect cloud sync where the engine instead of running on premises actually runs in the cloud we just have some lightweight connectors there as part of this what we also want to recommend is we want to send the hat password hash of the hash by having that hash of the hash replicated it lets us do things like look for leak credentials because now azure id knows what the password hash of the hash is it has it again it's not just a regular hash on the dark web when it's scanning it can now go and find those things so things like azure ad identity protection would now be able to set stop things like a breach replay we'll say hey look we found your password out on the dart web um we should change this we should make them do an mfa that's a p2 feature if i want a nice experience for the end user yes we can synchronize those things but then we want to also turn on things like seamless sign-on so seamless sign-on is hey if i'm seeing a machine that's on a network that can talk to a domain controller i can just go and access the azure id without having to do anything else it's just going to give me a very easy smooth interaction with that and the whole point of this is active directory talks things like curb roth and ntlm and ldap they're not good for the cloud so azure id tools cloud off 2 open id connect saml ws fed and then what would happen is you have a whole bunch of different cloud applications trusting this to be the identity provider of those so have all these things trusted including azure azure subscriptions will trust a certain azure ad tenant there is some called azure id domain services so if you had a question hey we need to use kerberos or ntlm or today ldap in an azure subscription and you don't have a regular domain which technology would solve this well azure id domain services creates a managed ad in a particular virtual network for you so that would be a way to enable that so that's great for users from maybe my ad i can create cloud accounts as well natively but what if there are other companies i'm working with what about the idea that okay there's maybe a partner that i'm working with they have their own azure ad tenant or maybe they have microsoft accounts or gmail accounts maybe they have their own saml maybe they have something else and i want to be able to kind of email them a one-time passcode well i can add them using b to b business to business and then they get a little stub account basically a guest using b2b so b2b lets them use their existing credentials so the authentication is still happening here either password that initial who are you proving who you are happens whatever their source identity provider is what happens on my side is the authorization i.e are you allowed to actually do this that would include things like conditional access which we'll get to in a second so if i add partners and i want to be able to give them permission and access to things that trust my azure id most of the time the answer would be hey i want to add them as a guest to enable that interaction and again there's many different types of things you can do with this if we quickly jump over and look at my azure ad for a second what we'll see if i look at my users first you can see is it a directory synced user or not i it came from active directory and i have ones i would say yes but then i have all these guests so i've guessed though this one's mail so that's like gonna use a one-time passcode it's gonna email them a passcode i have facebook i have ones coming also i'll keep going i have gmail so these different options i even have someone using text um for that's not a guest though so i have these different ways people can carry on and use their existing accounts when they're actually going to use this and i have a deeper dive video on a whole bunch of these things now one of the cool things you can do with these is if i jump over and look at external identities well firstly you can configure who are the identity providers you can see i've added google and facebook and i've enabled one-time files i've enabled basically everything but you might go and enable them if you hadn't you could go and add a custom saml or ws fed the other cool thing you can do is i can add user flows so as part of a user flow i could enable those guests to be able to do a self sign up i could also have particular steps i want them to go through i could white list certain roles i can then add them to groups and roles these guests whatever path i take are just identities i can add them to groups i can give them access to roles i have really most of those same sets of capabilities so that's the the b2b option there now alternatively maybe i as a company i've created some fantastic application i'm super proud of so i've created my awesome app and i want to make it available to my customers i do not want to add customers to my corporate azure id that's a terrible idea so what we do is there's a separate type of azure id today so what we can do is we can create an azure ad b to c business to consumer instance what that lets me do is these customers my app would now trust that for its identity provider customers could either create local accounts in the b2c or it supports a huge range of different types of social accounts more than the regular azure id today things like weibo and twitter and the customers have a choice hey i can create an account or i want to bring my existing social account to use with that application today b2c has this fantastic ability to like customize every pixel i can i can hide the b2c url with things like azure front door there's like 100 custom attributes as a whole on boarding flow it's a really powerful solution so if i have an app i want to make available to my customers b2c i don't want to put that in my corporate azure id talent i mentioned conditional access and the fact that authorization even with those kind of b2b happens at my azure id so a really powerful capability when i think about azure ad is actually this whole idea of conditional access and i can think about that conditional access is that authorization layer so no matter what way i'm coming in i'm going to pass through that conditional access now that's a feature of azure id premium p1 or above it's also bundled with other types of license and the whole point of conditional access is i can specify a whole bunch of conditions this could be hey you have to be in maybe a certain group it's pretty easy to just see this so if i jump over and we go to our security and we go to conditional access and i just create a new one for a second well i'll give it a name but i can assign it so i could assign it to certain users to certain groups i could assign it to certain roles so i have a lot of flexibility in how i actually assign this i can target everything i could target particular cloud applications so here we see all my custom applications we'd see a lot of ones that are built in even azure itself so if i for example look at i think it's microsoft azure management microsoft azure management is azure management itself or anything that goes through the portal so hey if i want to control something azure itself i could use that app to target that and then i have conditions and there's a whole set of conditions user risk sign-in risk that is built with part of azure id premium p2s identity protection feature i can target particular platforms i can target particular locations i define device state is it healthy according to things like intune for example and then do i give access or not notice i could block access or maybe i grant access but i require things like mfa i require it to be marked as compliant maybe saying like in tune i require it to be hybrid joined so i have a whole list of different options around them and there's kind of session controls as well and if i kind of go back from those locations so location is either a public ip range i set or it can even be g um gps coordinates now or it can just be based on ip ranges for particular countries so i can create locations i want to target with my conditional access but the whole point of this is it gives me the ability to set based on these certain conditions this has to be met in order to let me do this and a big one is oh i'm going to make you do things like mfa so if i had a b2b user the mfa would still happen at my tenant that's kind of a big point about that there are things like identity protection i just talked about that so identity protection is about looking at an individual sessions risk an individual log on or the user in general looks at things like impossible travel and it's using an ip address that's been linked to malware part of some password spray attack it's an anonymous ip generally nothing good is coming from an anonymous ip and it's building an overall risk status for the user that a can give me warnings and reports it can trigger certain actions but also i can build that into things like the conditional access so identity protection which is a p2 feature i can leverage as part of my conditional access and again it has its own checks its own sets of actions i can actually drive from there talked about users users in my company users in partners customers but obviously there's another big type of user if i think about an application so i have for example my azure subscription and i want to create an application so applications often need to authenticate so if i create my application well my app might want to be able to access some type of other resource somewhere i don't want to ideally store secrets now one way i can do this is i just create a service principle so a service principle is some account for like for example app it's an account it could use a secret i.e password we could use a certificate but then it has to handle that somewhere it has to store that in some way i've got a whole deep dive video on app registrations which is how an app registration great creates us that service principle and then how i can leverage that a better option is rather than having to try and work out how to store that secret or that certificate if it's an azure resource and there's a huge number of resources that support this but imagine i'm resource one this could be a vm and this could be an aks environment it doesn't matter what we can actually do is we can say hey i want to turn on managed identity now the default is a system assigned and what that means is now there's an identity a service principle but it's just managed for me automatically only that particular resource can be r1 no one else can ask for it so with a system assigned the life cycle is one to one that resource is that managed identity when that gets deleted this match identity goes away but now for resources i could say hey r1 you're a contributor so now without this resource having to store any kind of credential it can get access to that resource fantastic that's phenomenal if i've got a resource what about if i have something like a scale set saying behind a low balance so i've got a bunch of resources so resource two three four i could use a system assigned manage identity again and i'd have to basically duplicate the permissions three times or four times or ten times or what i can actually do is create something called a user assigned managed identity now this time it has a separate life cycle let's just call this um user assigned mi1 so it's it's own resource and what i do is i go on all three of these the permission to use ua mi1 and then i can give that ua mi1 permissions hey i'll give you contributor so the key point there is if it's system assigned only that one resource can use it and i give it permission to things with a user assign manager identity it is a separate life cycle so this can be kind of one to n if i delete the resources that doesn't go away but now i can give that identity permission to things and then let multiple resources that need the same sets of permissions use that single match identity to really cut standard management so if i saw a question hey you have these 10 virtual machines that all need the same set permissions what's the minimum number of identities i could use well i could use one managed identity if it's a user a site so that would kind of help me out there now there are some things ideally i'm going to use management density if all things are equal i would just use a managed identity and then give the identity the permissions on the resource remember we had those data plane roles but maybe there's some things we can't there's some resource that just doesn't work i still need a secret i need a shed access signature where do we store those things so the best way to store those things in azure is we have azure key vault so azure key vault is all about the idea of storing secrets i get some piece of data that i can write and get back keys i can import or generate but i can't extract them out but i can perform cryptographic operations within the key vault and certificates it can handle a life cycle help with the distribution and this has full role-based access control so what i would do here if i had some secret well i would store the secret in my key vault and then i would give the identity permission to it so maybe here i could say oh i'll give the user a sign managed identity one get permission so it can get that secret and use it so now this application again doesn't have to store anything it's going to authenticate to azure id as its user assignment density and then use that identity to get access to the secret and then that secret is going to go and use to talk to something else that is required there are two models for azure key volt permissions so kivo actually started out with its own model it didn't really integrate with azure id so it had its own access policies and notice here what i would do is i would create an access policy for a certain identity and then i would give permissions for the type of resource i couldn't be granular i couldn't give permission just to a certain secret or a certain key i would get the permissions for all secrets or keys of that time and that is how granular the permissions are get list set delete recover backup so obviously to to get a secret i just need get that's the only permission i need if i want to be able to enumerate through them why need list as well if i want to change it well i need set obviously etc etc says different permissions but i can be super granular but it applies to everything of that type in the vault the other option this is newer is you can change the access policy to now use azure role-based access control and that actually allows me notice there's no access policies here that actually allows me now at an individual kind of secret level to now set permissions so there's actually permissions to operate the data plane so like key vault reader key volt secrets user can actually read just that one secret and not the others so that's a more granular option available to me now some services will kind of abstract that away from me so obviously yes i could absolutely write and i could use the azure apis to go and get to that but if for example i was using azure kubernetes service aks well azure kubernetes service actually has an azure key vault csi driver what that basically does is i can expose certain secrets as if it's part the file system so the app itself doesn't need to care about key vault it's just interacting with a file if i'm using my app service well app service has the concept of kind of environment variables that i can use so i have these application settings an application setting can be a reference to a particular secret so again i'm not going to do something in my app to really worry about that i can just expose it as an application setting this is obviously super super important it's got those secrets and things stored within it so one of the things you can do is these replicate so this does replicate to kind of a paired region and this thing happens to our primary region then the paired version would become available but it would become available in a read only mode so i could get i could list i couldn't delete things i couldn't modify the values so it would become read only so if it does fail over that protection is built in the vault would still be available but it will go into this read only mode so i can't perform any sort of change operations so those are kind of some of the key constructs we think about from that identity governance perspective the next layer we get into is really about the monitoring so if i think for a second about monitoring monitoring is key in a lot of things and we can actually come back to this if i was doing migrations i'd need to understand the type of usage currently on a system to make sure i'm really migrating the right thing but i can get data coming from many many different sources when i think about monitoring so if we think well there's always azure id it's always azure id at kind of the top so azure ad has many many types of logs there's obviously things like the audit logs so seeing what's actually happening in the system there's signing logs and and there are many others as well that we can actually go and see if you go and look at azure active directory you'll see there's a whole bunch of different types of logs that i can actually get then the azure subscription itself so the azure subscription has an activity log so that activity log lets me actually go and see oh saying it's been created at the arm level the azure resource manager level it lets me go and see other things about hey the object is modified at the arm level again and we can change aspects of this we can send it to other places through diagnostic things which we'll get to in a second then i have the resources themselves now the resources themselves have different types of output a lot of them have metrics now by default they just go to an azure monitor time series database many of them also have logs i'm going to put that in a square bracket because they do not exist by default you have to configure them to go somewhere before it will actually go and create those logs then there are many other types as well there's things you can do inside the operating system there are things i can do inside applications i can do operating systems on premises there are insight capabilities there's a whole bunch of different things i can turn on but a key point for all of these different types of resources that can generate this data there are different places i can actually send them so this is what's being generated well i can send it to same called log analytics workspace so one option is log analytics and i can keep that for up to two years so that's kind of got a maximum duration of two years that's really powerful that it's not just the storage it has a whole cousteau query language so i can run queries against it and many solutions sit on top of this to give me additional value added on top of here i can also send it to an event hub so an event hub is kind of a publish subscribe it's really useful if i had some kind of maybe a third-party sim that i wanted to be able to send things to or i just want to trigger something else i could even maybe have something like an azure function hanging off of this maybe via event grid in the middle say hey when tank is created i want to go and run this serverless thing or i can even do a storage account a storage account is useful because it's cheap retention it's not super useful to do anything with when i send to a storage account i can actually pick up attention how many days of those files will it actually keep and the way i configure all of these is i have diagnostic settings for nearly all of these i can configure those and that's why i can say hey i want to send it to here or here or here and i want to keep it for this amount of time so i have all of those available to actually drive that if we jump over really quick and let's just pick um let's do that here let's do sql i'm just picking a resource so these diagnostic settings and what i can do here is i can add and this is where you can see well look there's all these different types of logs that i could send and the metrics i can send as well and i want to send it to a log analytics workspace and i would pick which one i want to send it to a storage account if i send it to a storage account well then we pick a number of days that's the retention for the storage account that is not the retention for anything else like log analytics is not asking me that log analytics has its own retention configuration up to that maximum two years that retention is only if i'm sending it to a storage account i can send it to an event hub and some of them now we even have partner solutions that typically hook in via things like event hub so for nearly every type of resource we will see those same options if i looked at my azure id and i looked at things like my signing logs we have these export data settings and here hey look i see those same options if i was going to go and look at my subscription and i looked at my activity log if i could remember where it is near the top there we go here's at the top activity log i have diagnostic settings and i can do the same things so the key point is we have these really the same options across nearly all types of resource they all use these diagnostic settings to send to these different types of solutions so hey log analytics i want to do rich analysis i'm building other solutions on top of it has that two year maximum i pay for the data that's ingested and the data stored once it's past a certain age hey i want to send it to some third-party system or i want to trigger something or maybe i'll use event hub hey i want to store it as cheaply as possible for long-term retention of a storage account would be good for that another thing i can do is we can create this idea of alert rules so i can create alert rules now alert rules can actually trigger off a number of different things i can trigger off for example things like the activity log i can trigger off metrics i can trigger off of logs and metrics from log analytics as well so i could look for hey i've reached a certain value i've seen this type of log and what this can actually do is in those cases well it can raise an alert you can see the board is slowing down it's not catching up anymore so i'm going to start a new board um and then these can fire off something called action groups so in response either as part of the alert i can specify called an action group or i can actually separate them now for action rules and say hey if an alert fires at this scope call this and action groups can do a ton of things i can do things like an sms an email i can call an api i can call a function it is a huge set of things i can do in response to that so if we jump over again and if we look at monitoring we can see alerts and we can see well we have alert rules and there's all these different things we can trigger off of the activity log service health as well which feeds into activity log app insights which is coming from a log analytics there's all these different types of rules i can use but then what i can do beyond there is once i have that i can also have action groups so these are the things i want to do so i can have notifications but i also have a whole bunch of different actions i can perform because there's a huge range of those things and as i mentioned i can separately now also do action rules so action rules rather than setting the action group as part of the alert rule i can say hey at a certain scope if i see a certain type of alert then call this action group or i could even do suppression i could be like okay well normally this thing would happen i want to actually suppress it maybe it's christmas and i'm like you know i don't care if the system goes down it's christmas i'm going to set a suppression rule so for these times i don't actually want to get alerted so i have all these great capabilities available to me actually as part of that now realize some things have their own solutions and their own notification methods um it will vary but if i think about azure ad connect it has something called azure ad connect health and azure id connect health has its own sets of notifications i can specify users to be notified if they're like sync errors so there are things that have their own sets of solutions for there but those are the key elements you need to kind of understand again i think rocket science here that's really just about um that identity thinking about the governance policy is a huge part of that setting the right levels getting the right structure and then monitoring is all about you know these things that can create signals metrics logs hey where do i want to send them log analytics seems like azure sentinel sits on top of that if i just want to send it to another sim vent hub but then i can file those various types of rules so that's kind of that identity governance and that component so now we'll start a new board to talk about design business continuity solutions so when i think about business continuity disaster recovery this is actually saying we'll actually come back to when we talk about the well architected frameworks it goes into a lot of detail about this a key point is when i'm thinking about any kind of business continuity make sure you understand all of the components in your solution my vms my load balancer how is it using saying on premises in which case what is my connection to on-premises think of all of the different levels and then i have to think about well where is it stored where am i running it and what are the resiliency options i can enable for that we will talk about region now remember a region we always think about as this two millisecond latency envelope but the reality is that region is comprised of physical data centers so i might have i'll just draw three multiple buildings now in those buildings i have racks of servers now i could think about a failure can happen at an individual node in the rack could happen at the rack level a top rack switch power supply unit so the first unit of resiliency we can do is those racks can be thought of as fault domains like full domain 0 1 2. and what we can leverage is something called availability sets if i create an availability set what it's going to do is distribute the workloads i add into that set over typically kind of three racks so i create vm1 it puts it there vm2 there bm3 there bm4 there r5 it also separates them on nodes as well that helps for updates so you'll see fault domains typically three you'll also see update domains when it rolls out changes this can be between i think five and 20. never mix workloads because again it's just randomly distributing them if i mix domain controllers and iis servers and sql servers in the same availability set through sheer bad luck all of the dc's might be on this rack or the sql on this rack or the iis on that rack so i'd create an availability set for each unique workload for each unique website for each unique database cluster so availability sets i survive a node or rack level failure but if a data center failed i still lose all of it some regions when i talk about these individual buildings they ensure they have independent power cooling and communications by networking so these get exposed as availability zones and you'll only ever see three i'll see availability zone one two and three they are not buildings called one two and three they are logical per subscription so what is my subscriptions az one could be another subscriptions az3 so there's no consistency between subscriptions so now what i have when i deploy my resources if hey i create a vm1 over here vm2 over here vm3 over here i've now got resiliency at a data center level failure so if you see questions hey i want to deploy my app i want to make sure i can survive a data center failure i'm going to use availability zones it's not magical i still have to deploy at least three instances i need one in each az if i just have one instance in one availability zone it doesn't help me so i'd have to have one in each of the different availability zones so i can deploy those there now some services have something called zone redundant so if i think about a service as being zone redundant that service if i pick that option automatically has its instances distributed over the three different az's this ain't like a standard load balancer i can pick to be zoned redundant on a storage account i can pick zone redundant storage and then those three copies of the data are actually in the three availability zones also i may see the option to be called cycled zonal zonal i pick which a z i want it to be in so i'm going to deploy it to a z3 again to be useful i would want three instances of that zonal solution one in az3 one in az21 and ac1 if it's regional you have no clue where that is you don't know which building it's in it's not going to be resilient against any particular data center failure so that's the other option is hey i just do regional i have no clue when i think about data resiliency options always remember um services sit on top of each other i.e azure data lake storage sits on top of blob so blob has that zone redundant storage so azure date late storage gen 2 has that same zone redundant option available to me make sure you have equal resiliency in all of the components of your architecture it gives me no benefit if i deploy for example my virtual machine scale set and i pick i want to deploy it zone redundant of course az one two and three fantastic and then i stick it behind a basic load balancer or i stick it behind a standard load balancer but that's zonal well now if that zone goes down i still can't get to my service so i want equal levels of resiliency for my entire solution from the ground up or it's not going to get me anything when i think about these solutions within a region it's typically synchronous replication because i have super low latency so i can do synchronous the other resiliency option i have is obviously another region region two which again has its sets of buildings etc etc etc now between regions that's going to be asynchronous nearly always especially if i do good architecture i want these hundreds of miles apart if you use the azure built-in pairings they're hundreds of miles apart so there's some latency 10 20 milliseconds of latency i don't want synchronous replication it would slow down the operations that's actually happening so it'll be an asynchronous replication but that would be another way to survive a data center failure if i can't do this zone redundant option well my other option would be i have a solution across multiple regions then that would let me have that a lot of services have that kind of geo redundancy built into them like azure sql database has options to have read replicas in other locations storage accounts have grs or gzrs it combines those things uh azure database for postgres from mysql single server have options for those kind of replicas so there's a ton of different things i can do there if it's like a regular virtual machine let's just say it's just a vm inside there i have obviously the operating system and i have my application we actually have different options for that yes one option is azure itself can do the replication using something like azure site recovery that actually uses a service the mobility service at kind of the os level it sits between the file system the volume driver as changes come down it's going to send them over so asr could do that replication for me or maybe the app could do it for me so depending on what the application is imagine it was a database well then it could replicate at the app level now that would mean i'd have to have an os running so i'm paying remember i pay for things that are running that'd have to be up and running but that would be another option and typically that would give me a faster failover obviously there's an app running getting the transactions as it's replicating if something happens over here that's going to start up faster than okay i've replicated the storage to a disk now i have to create a vm start it starts in some crash consistent state so that would generally give me a richer a nicer option available but it's going to cost me more money there's always this balance between what is my actual requirement when i talk about the well architected framework at the end by trying to bring all this together we'll talk about things like recovery point objectives recovery time objectives and how that would work now as soon as i introduced this second region it brings in a challenge when i'm within a region there are different solutions to balance between the multiple instances so if i was for example at layer 4 like tcp udp i could have a standard load balancer here if i was layer 7 i could use something like app gateway but they are running within a region so that's no good to balance to another region if this region went down they're down as well so the whole point is i typically have an another set of solutions here as well running my same workload so they're regional now i need something to balance between them so to balance between them i can think about well if it's layer 7 i can use azure front door and i've got deep dive videos on all of these things essentially azure front door if you think about the azure backbone network it has these kind of points of presence all over it and it does multiple things it does a split tcp so when i'm talking to it i actually establish my tcp and ssl sessions this local one but then it can have multiple targets so typically what it's going to do is point to multiple app gateways because they're layer 7 as well and it will send them to whichever one is closer and it's going to cache the content it can do content caching as well can do ssl offload it's a whole bunch of rich capabilities so that's a layer 7 solution that would only balance between those now if it wasn't a layer 7 then i can't use the azure front door another option is an actual dns solution so a dns solution is something like traffic manager so a traffic manager has a certain name and name.trafficmanager.net which you could hide with an alias of your own name and that basically just points to different dns names so that could be a standard load balancer exposed out to the internet and again it's going to balance normally for both there's different balancing options for traffic manager and azure front door performance is a very common one redirect people to the one that's closest to you so i get the lowest latency and the best overall performance so that's a very common solution there but again i would balance a global solution with a regional solution i want to really be consistent so if it's a layer 7 if i've got app gateway i'm going to want to put azure front door in front of those if it's not if it's just a layer 4 like a standard load balancer well then traffic manager is probably going to be a good solution so that's how i can make that a single entry point for the users and then balance and hey redirect if one of them goes down remember that replication is never a replacement for backup so i'm talking about kind of replication in here there are also many different backup services available for different types of workloads when i think about backup don't actually think about the backup that's kind of weird think about what you might want to restore do i want to restore everything do you want to be able to restore a database do i want to be able to restore a certain item how much data can i lose that might impact the frequency i'm doing those backups so azure backup is a native solution it can backup things in azure it can backup things from on premises by using um the azure recovery services agent it can integrate with data protection manager it's actually an azure backup server so i can even replicate sorry backup things from on-prem into my azure cloud i can backup azure vms i can backup file shares i can backup sql server in is vms sap hana in ios virtual machines when i think about azure backup it runs in two modes so sometimes when i think about azure backup there's actually different services you'll see kind of backup volts and recovery services vaults sometimes what it will actually do is it will copy the content into the vault hey i'll maybe take a disk snapshot and i'll copy it into the backup vault i might also keep disk snapshots locally so i could do a really quick restore for a limited amount of time for other things it doesn't actually copy it to the vault what it really acts as is an orchestrator because it's just not logical to copy it into a vault just in the same region anyway for example if i'm a blob storage account why would i copy the blob to a vault whereas i could just use blob snapshots but what i do want to do is say i only want to keep this many or take them at this time so azure backup can actually act as an orchestrator to take those snapshots of my blob storage account of my azure file so there are these different options available to me we can go and see some of these things so if i was to look super quick we'd actually start looking at a storage account so if i just go and look at my storage account for a second what we can see is there's actually a really rich set of data protection options it has now notice i've turned on operational backup with azure backup so it's not copying the data to the vault but azure backup is the one that is actually going to go and create these kind of now all know it will be snapshots but it's not even doing that because we have this whole capability here with blob i can have a point in time restore it has features like versioning soft delete for the blob and the containers i can have a whole change feed which means if i've got those things turned on i can actually go back to any previous point in time i want but azure backup has gone and configured those settings for me based on my requirements azure files can do exactly the same kind of thing it can go and create snapshots if i go and look at my files for a second if i look at snapshots notice there's all these snapshots that were created by azure backup i created some manually a long time ago but it is now keeping is that two months i can't do math a couple of months of snapshots and it's taking them at the same time every single day for me so as your backup is not storing them but it's orchestrating the actual solution if i went and looked at my recovery service vaults for example we can see i have this whole concept of policies and this is where i can configure look this is an azure file share the azure file share you have a policy and i can do things like well i want to retain a daily for a certain amount of time i could create a weekly and keep it for a certain amount of time keep it monthly a yearly i have a lot of granularity in what i can actually do with that if i have like a virtual machine actually let's go back to that for a sec go back to my policies and look at virtual machines well this can do some nice things it's actually using disk snapshots to actually capture the state it still integrates with the volume shadow copy service running in windows or it can freeze the file system on linux but notice what i've configured here is actually keep those snapshots two days locally with the disc in addition to copying it to the vault so what that would let me do is if there was actually a problem instead of having to copy the data from the vault back over i can just store the snapshot which would be super super fast so i have those capabilities as well remember as well in the same way we could replicate from the app if i back up at the vm level what do we understand we understand the vm and maybe files and folders i have zero clue what a database is so if i wanted granularity to be able to restore a database then i probably need to do a backup within the guest and then my restore granularity would be hey i can restore this database so things like sql in ios virtual machines sap hana in ios virtual machines there's a rich interaction with that also the backup vault if it is stored in the vault i can do grs to make my backup data available across region and often i can also do a cross region repair restore sorry to actually have that available should that region fail so that's a high level quick view and i think about that business continuity but we're going to come back to some of this when we talk about that well architected framework so let's jump to a new whiteboard okay so the next part is design data solutions and i have a whole study cram for the dp900 test which is really a lot of this similar content so i would recommend go and look at that it's in the playlist for this az305 when i think about data there's really three buckets of data we ever think about we have data that we consider is structured so we have some kind of structure to our data think of databases i have my data organized in kind of the idea where i have rows columns there's a schema that describes these are the attributes in this table this is the format of them so structured the next type we have is semi-structured this could be documents it could be self-describing commonly you might think of something like a json document or xml even html they will self-describing that they do have a structure but it's not predefined there's not a schema in this case it's just self-describing what that is and then of course we just have unstructured this could be documents this could be media it's just something i need to store blob is a very common type of solution around this when i think about unstructured we'll start with them kind of build upwards there are various services in azure that facilitate this type of service but the key one we're going to start with is really thinking about a storage account a storage account is a key building block for many things in azure many other richer services actually sit on top of things from a storage account a managed disk fundamentally is using a storage account and there are a number of different services we actually expose fundamentally we can think about the idea of blob some binary large object now out of blob we have block it's made up of blocks to the bob we have page where it's made up of pages very good for random read write anywhere in the file and we have append i just need to add commonly keep going to the end of it so there's different types of blob and also what we have is files predominantly azure files was built around smb but they do actually now give you the option of nfs as well and then the option of cues a very simple first in first out solution within the storage account so those are the types of data i can have inside it it has various attributes of its own so the storage account has a certain type so these are all the objects supported and then we have a type of the storage account now the common one we're going to see most of the time is just a standard and it's this general purpose v2 that supports all of the different types of data we might want it has things like tiering hop call archive or transaction optimized hot cool there is a general purpose v1 i can't really think of a reason to use general purpose v1 today so if ever you see general purpose v1 as the answer to a problem you can probably eliminate that right from the start then we also have premium now with premium they are tied to a certain type of service and the primary ones you're going to deal with is block and files what premium gives us is very high performance generally lower latency there is also [Music] page option and what we'll see is when we look at these different types of accounts they may not have all the same options available so for example if i go and look for a second and if i think about okay i want to create a storage account and i'll create a new one now you can start to see some of the options are available well i have to give it obviously a subscription a resource group like any other resource a name that has to be globally unique in all of azure it does get deployed to a region but you have this idea of the performance standard or premium if i pick standard it's not even asking me the type it doesn't even offer me general purpose v1 it's saying you probably want a general purpose v2 if i pick premium now i pick the type block blob file shares or page blops but what i want you to notice is what is the redundancy options as soon as i pick premium well for that one it's just lrs that one's lrs and zrs that one's los and zrs there is no grs so with premium i can never have a globally redundant solution so that's the important thing to remember when i think about the options available yes premium is going to give me the best performance but it's going to limit some of my other options so as we saw they have a type they get deployed to a certain region but then also we have those replication options and those options are going to vary depending on what is the type of that storage account now before we go any further how many storage accounts might you need in your architecture well think about those attributes if there are different sets of requirements maybe one set requirement is i need the highest performance lowest latency solution that's resilient to a data center failure in this region well okay i can use premium if there was another requirement that was we need the ability to tier data and i need to be geo-redundant well okay well then i know i'm looking at general purpose v2 because then for the replication i can get the different options those grs the replications we talk about they're always within the same geopolitical boundary it's not going to replicate data outside of some maybe data sovereignty line you have except for brazil south today that replicates the south central us there is encryption at the storage account level so maybe if i need different encryption i might want different storage accounts although there are things called encryption scopes now so for blob i can actually use different keys for different sets of data but different isolation requirements different replication requirements maybe i need certain features that are incompatible with each other those would all be reasons i might drive to have multiple storage accounts now when i think of the resiliency and i kind of drew replication here there are different options so the base level is lrs locally redundant storage with locally redundant storage there are always three copies of the data but it's within one storage cluster i within one particular building if i do zrs there's three copies but those copies are now distributed over three different data centers so i have resiliency from those and then i could think about kind of a region two so if i do grs well i have the three copies and then it replicates to have another three copies over here and then there are combinations so i can do like gzrs where the three copies are distributed over az here and then i have three copies in a particular data center there sometimes you'll see an ra variant r-a-g-r-s-r-a-g-z-o-s that means for some of the services for example blob i can read that copy in the paid region but i can't write to it so it's a read-only copy so i get read access to it that does not work for things like azure files so i can't do it for azure files so we have the different resiliency options so once again if the requirement is hey i need to survive a data center failure hey that means the rs or if the os is not an option maybe it's grs maybe they might say azs are not available in this region what is another way i could survive well grs i'm still surviving a data center failure because i've got three copies going somewhere else as well so that would be another way i could actually leverage and solve that problem now when i come back to the features there are some key things we have so blobs we put them in containers it is a flat structure there are no folders if i want folders there's the hierarchical name space i can turn on which is typically the azure data lake storage gen2 then i have true folders i can do true moves without having to rename as a file etc the account type does vary some of the features i have available so here if the type is standard and that's really a key point for blob i have access tiers so here we have access tiers so premium is a different type of account so that's just premium there's no tiering in premium if i picked premium block blob it's just premium but if i pick standard then i have hot cool and archive so i actually have true tiering available there's things like lifecycle management that's a native feature that can automatically move data between them maybe it's not been modified for a certain amount of time or accessed for a certain amount of time a key point here is archive is actually offline i have to move it back into cooler hot to actually be able to read and access that data it's the cheapest option so if i think about why would i have these things dollars so what do we typically pay for well we pay for capacity but then we also pay for transactions now premium actually i don't think it charges you for transactions at all but i pay more for the capacity with hot i pay the most for capacity but the least for transactions for archive i pay the least for capacity but i pay the most i actually have to move it back so there's this balance so if i had data was constantly interacting with hot tin makes the most sense if it's data i have to keep for seven years and hey and you'll listen to key points you have to keep this date for seven years and you can wait up to a day to be able to access the data being that's going to be archive if it's hey i have to keep this data for prolonged period but need a media access what's the cheapest way to store it that would be cool call is still available instantly and you can see the how those costs actually balance out so if we look for a second at the costing page so here we can see the idea of premium so notice the pricing premium is 15 cents per gigabyte way more than hot which is way more than cool which is way more than archive archive is where's that i can't even do the math on that today a hundredth of a penny i guess a tenth of a penny basically tiny tiny amount so that's the cost of actually storing it so i pay a lot less money for the storage but then if we actually go and look at the operations so premium so now some of them are free you don't pay anything but the actual interactions are really cheap for premium they get a bit more expensive for hot a lot more expensive for call an archive well read operations there's this big price because i have to bring it back so there's a whole set of data retrieval then it costs more to actually do things against it so we have that balance of okay what was the right thing i actually need sla is very as well based on these different services you can go and check into those things but that's really the point of those options notice there's encryption scopes i mentioned there if i want to use different encryption keys at that blob level so that's why we have different tiers i have different requirements hey i need to access it really frequently okay hot would be good hey i need the lowest possible latency highest performance i don't need geo redundancy okay i'll use premium so you're going to kind of balance those things blob also has locking options so you'll hear a lot about the idea of kind of immutable immutable is kind of that proof that hey i'm not changing this in any way so on blob i can do legal holds so you you can't change i can't delete this until i take off this legal hold or there's time-based holds gotta keep this for 60 days or a year or something like that so that enables me to actually stop changing those types of things if i think about getting data into blob obviously there are tools where i can copy it over the network there's azure storage explorer there's a z copy i'm offline that seems like import export we have bitlocker encrypted disks that we send and receive there's azure data box a big appliance that enables us to they ship us the appliance we copy the data onto it they ship it back and put it in the storage account so there's different options on how we can actually get that data into there azure files once again that has a premium option where hey lowest latency highest performance azure files is all about smb typically although again there is kind of that new nfs 4.1 option available for azure files as well where that has to then integrate with a virtual network where i lock it down for a service endpoint or private endpoint we'll talk about those constructs in a second smb i can do a calls based on for example i could integrate it with active directory domain services that is regular active directory that is not azure ad that is regular active directory my storage account gets joined in a way it gets a kerbals object in my ad so it can then validate tokens and i can get granular apples or it can integrate with azure ad domain services but it's a lot more work and it's really not that pleasant there's something called azure file sync azure file sync is really nice if you think about the idea that well i have that share my azure file share in the cloud but maybe what i also have and this could actually be for migration purposes i have existing file shares on premises azure file sync will replicate between them it's always only one endpoint in a sync group but i could use it to migrate data hey i want to take this and move it to azure file shares how can set up azure filesync well i want to keep these and use this as that kind of key synchronization point and failover point and what's nice about this is azure file sync will keep the apples so if i then did this option the active directory domain services integration those apples would be enforced even when i accessed the azure file share another nice feature is this has tiering so what i can actually say is hey if i get to 80 capacity take the least used content and just store it in the azure file share but leave a thumb thumbprint here so it looks like it's here and i'll dynamically pull it down if someone actually tries to access it there is tiering again once again there's that premium option and then it doesn't have archive there's no offline but it has something called transaction optimized so there's transaction optimized hot and cool and it has that same flow of cost of capacity versus and we can see that super quick so if we look at the pricing page again it says premium transaction optimized hot and cool and here you can see well premium once again you pay more for the storage transaction optimized you pay more than hot which you pay more than call but for the actual transactions well premium you don't pay anything for transactions you pay less for transaction optimized you pay more for hot and more for call so it's always that balance of what is my requirement what do i need to actually have and then i pick the most efficient option for me so we have these choices so that i can really pay the right amount for what i need ash is all about consumption as he's the cloud pick the right option so i'm only paying for what i actually need that that's the the driver when you're architecting you're going to see that for everything we do be it compute or storage or network whatever that is there's always options and so what is the one that makes the most sense in terms of getting the requirements met and generally a requirement is also optimize my spend so always keep that in mind whenever you see a question if you see multiple solutions that all look good okay which one costs less as an architect i want to do the right thing for my customer that's typically the thing we're going to pick there's also actually if i'm thinking about files smb and nfs there is azure netapp files as well so that's netapp filers running in azure data centers it's provided as a native azure service out of that files is generally a solution for when i need a higher level of performance so it goes to a higher level of performance even in the premium azure files so that that might be a solution maybe i'm used to netapp today i'm used to the net management maybe want to replicate from a netapp file on-prem azure nav files would be a good option away for that when i'm thinking about other services i talked about blob files and queues there's actually something else that lives on top of a storage account but you don't see the storage account so think if you ever created virtual machines or aks clusters or even other things you've probably seen the idea of a managed disk managed disk actually is a page blob when i create a managed disk which is a first party azure resource manager resource with rbac and snapshots and all that wonderful stuff what it's actually doing is creating a storage account creating a page bob it just hides it from me in ye old days we had to manually manage the storage accounts and create the page and then we had to worry about with the limits of the page blob the limits of the storage account we put too many page blobs in one storage account then we hit the storage it was horrible so managed this basically abstracts all of that away now there are different types of managed disk you'll see there's things like a standard hard disk drive a standard ssd a premium ssd and then an ultra disk i always joke the next one will be called the super duper well that's fast disk funny but we have these different options and a core point of these uh once again they offer us different capabilities as you would expect they're getting higher performance as we go down so the performance gets better but the cost goes up for most of these what we typically have here is as the capacity goes up so does the performance it's kind of like that so if i want the disk size i pick could be based on the capacity i need or it might actually be based on the performance i need so i get a bigger disk than i need because i need more iops or throughput ultradisc is different ultradisc actually has three dials it has capacity but it also has iops and throughput and these you can actually dynamically change so while the disk is being used i can increase the iops because i've got some batch job running then i can decrease it again when i don't need it anymore premium ssd actually lets me change the performance of my disk separate from the actual capacity i'd pay for what that bigger capacity is but it means i don't have to grow and shrink the disk so if i jumped over here and look at disks for a second so these are all spare page blobs hidden away i just can't see them but if i actually look at premium disk lonely so notice here i have the size and notice the iops and the throughput go up as the disc gets bigger but i can change the performance tier so that won't make the disc bigger but it will give me the performance as if it was a bigger disc now i will pay for this bigger number so you might say why on earth would i ever want to do that well i can increase the size of disks in azure but i can't shrink them so if i needed a higher performance for a certain duration of time if i want to bring it back down again i don't want to make this bigger because i'm stuck but with pringle message i can raise the performance tier up right at that high performance and then bring it back down there's certain time uh limits around that like i can't constantly if it's 12 hours i have to leave it or something also standard ssds premium ssds actually have bursting so if we look at those pricing details of these disks one of the nice things is for the smaller discs we'll actually see like the p1 p2 notice you have this idea about with bursting in brackets and bursting for throughput and iops so we can actually burst up for up to i think it's 60 minutes maybe it's 30 minutes one of those things for a certain duration of time it can burst up to a bigger number i'm sure it answers that bursting in here and what it's doing is this is the credit based bursting oh it's 30 minutes here it says it here 30 minutes for up to 30 minutes we can do the burst and i don't pay for that it's the whole idea of like accruing credit so for the smaller vms so the p20 and smaller i can get that bursting for free for the bigger disks it's ain't called on demand bursting i have to turn that on and pay for that but then i can go to these much higher numbers see 30 000 but i pay for that so it's different from the kind of credit free bucket bigger disks i have to pay and standard ssd also has bursting kind of see those options there as well for the smaller disks but not for the bigger ones poor standard hard disk drives does not and then ultra disk the key point here is notice you're paying separately for capacity iops and throughput so we have those different options depending on what is it we actually need to do so that's that's a key point now storage account is encrypted and for the storage account we can always pick is it a microsoft managed key or is it a customer bring your own key if it's bring your own key it gets stored in azure key vault both storage accounts and managed disks now have the option that it will just point to a secret not a version of a sorry a key not a version of a key and then if i create a new version of the key i want to rotate it will automatically get detected and applied for managed disks for that encryption right i have the microsoft managed or i can create a disk encryption set where i'm bringing my own key from azure keyboard so i have those choices so there's encryption at rest for the actual storage account the disk i can think about this host level encryption i can also turn on so the temporary files it might create the cache i can turn on host level encryption to encrypt that data and even within the operating system as well i can do azure disk encryption so azure disk encryption for windows would use bitlocker for linux dm crypt so that would actually now encrypt inside the os as well so i have all these different options available to me depending on what i actually need so those are some of the the key constructs and we actually have in terms of storage obviously that the final thing we would kind of bring together on that is security i mean that's that's a huge part and there's different levels when i think about security this is obviously security in terms of access to it there's the firewalls on the services to restrict who can talk to it there's integrations with networks like service endpoints to restrict access to certain subnets there's private endpoints which can then be used from that v-net or connected i'm going to talk more about that but then in addition to the kind of access idea so again access i can think about firewalls ip v-net there's all constructs we have around there and that v-net again service endpoints private endpoints but we also have the the rights so that at the data level how can i access this now there's an access key on a storage account there's two of them the whole idea of having two is that i could be using one or i want to rotate it or i can switch to using the other one rotate one other key switch to using that and then rotate the other ones there's always one key i can be using so we have the whole idea of those those master access keys do not use them there's even options now in storage accounts to disable them so if i was to go and look for a second at my storage account if i just pick one i don't know i think it's in configuration if i can find where configuration has gone there we go one of the options you have now allow storage account key access so i can actually disable that i can now say that all powerful account keys again there's two of them i don't want to let you use that so i can disable that now you do have to be a little bit careful because yes access keys are one of the things i can do another thing i can do is i can create a shared access signature and there's two types i can think about an account level where i can specify access to multiple types of service like files queues or there's actually a service which is specific to a certain type and those can be time limited they can be restricted to certain types of operations they will stick to certain ips but they're signed by the access key so if i disable the use of access keys well i can't use a shared access signature because it's signed by so you just have to be careful of that as we saw earlier on we looked at access control there's also now role-based access control data plane we have those data actions for many types of service like the queues um like the the file sorry the blob we saw so we have that as the other option to actually control that in terms of data in transit well another option we have right here is i can turn on secure so i have to use https if i was using azure files it's going to require that we use smb3 and make us use the encryption option so we have those all available actually to us so that's a huge focus all about the unstructured data if we now switch gears again this is a review we also have the idea of structured now there are multiple solutions in azure for structured a big one we always focus on obviously is sql server so i can think sql server sql based database and there are actually different types of this available so if i think about sql so sql database there are different options available to us the first one we'll think about is azure sql database so this is a pure pass it's a managed solution for us we do very very little it's fully managed it supports very large databases up to like 100 terabytes there's even a serverless option for auto scale so i can have super large if i pick the right type um there is also this auto scale option there's different service tiers available so i'm going to say service tiers and there's really three key ones we think about i can think there's general purpose and this actually applies to some of the other types of azure sql database we're going to see as well if i think about general purpose this is really based around the idea that there's some node that's active that is connecting to my storage that's got the files and it's connected to it there's a bunch of spare nodes sitting around just in terms of capacity and azure if my node fails one of those ones with spare capacity would say okay i'll connect to that storage now and then re-offer my database there's a certain amount of downtime there's a certain amount of failovers it attaches to the disk etc then there's the idea of business critical it's a business critical well rather than having kind of those spares sitting around and it will grab the storage kind of account as it feels like it well now we have the idea of we have the node but it's actually connecting to its own high performance managed disk but we have multiple nodes we have this ring of the nodes now there's still a primary we have these secondaries i can make for example this read access and these are really forming an always-on availability group so now i get a much faster failover if there was a problem i can also get better kind of scale because i can make those read access that i have all these secondaries that can be made available and i can use those things i can even have these zone redundant now there is actually a gateway layer above this as well that the initial request comes in and that has a similar option so i could make this zone redundant right and then the gateway service above it would be so redundant as well and then there's hyperscale so hyperscale is the idea that we have to actually shard the data we want to separate the data out sql itself is not a multi-master type of service it's a single primary so even with hyperscale we still have the idea of kind of this primary compute node but then we can have and we have configuration of this we can have secondaries and we can have replicas we can have read access but what this actually does is as data comes in it kind of writes to a log service and then what we have is multiple page servers we have this whole and these scale completely separate from this so we have all these page servers and these page servers have its own sets of storage get worse and worse a drawing and that goes in right so now when it has a compute request and has to perform some operation well it can actually distribute the request over all these kind of shards of the data so i get much higher performance but i also get a much higher set of scale because now i'm separating that out over all these different page servers that get queried through this primary and again i can do certain amounts of resiliency by having these secondaries at that compute layer as well it also means that private endpoint support so i can get an ip address and within that actual cluster there are comparison documents so this is quite nice it talks about hyperscale and it talks about those three general purpose hyperscale and business critical it talks about the type of service that are supported for them size is how the storage works between them maximum storage side we get that 100 terabytes of the hyper scale it talks about that multiple tiering so there's some nice documents and it talks about the geo redundancy availability notice on that standard general purpose one hey i just had the one copy one replica there's no read scale out um there's zone redundant h a in preview i those spares could be scattered out but that's really as good as it gets whereas with that business critical i know there's three replicas i can have a read scanner instance i can get full zone redundancy hyperscale can have up to four read scale outs so we have those different options available to us and just like everything else we're going to do we pick the one that meets the requirements and we want to be cost optimized sure i could use business critical all the time it's costing me a lot more money so what is the requirement what is the maybe speed of failover what is the importance of this there's different slas associated understand those things so you can pick um the right one to meet the requirements so that's kind of the azure sql database now the next one we get is azure sql managed instance now once again this is a pas offering so it still pass but it deploys into your virtual network so it's pairs but in v-net and it's basically a better compatibility what's happening is it's deploying basically sql into these virtual machines that you don't manage it's managing sql in the vms but it's a lot more regular type of sql so if i'm moving a workload from on-premises for example to azure sql it's going to come down to what features do i need if i'm using certain features today that i'm used to like comment and language runtime linked servers a service broker the sql server agent those things are not going to work on azure sql database this is really built for i'm doing some cloud architected optimized solution i'm moving saying from on-prem i'm using those types of features well then azure sql mi is probably the solution so it's still fully managed i'm not patching sql but it's going to have a much better compatibility and i didn't really go into details but with this you have the option of kind of single database or elastic pool so elastic pool is i have a set of resources that i can put multiple databases into so they can kind of share and have a little bit of wiggle room and needing extra or less resource if i do a single server well all of those resources are dedicated to just that one instance of a database so it's guaranteed to be there for it but there's no real movement on there managed instance has the same idea i can have a single instance or i can have an instance pool where multiple databases can share the same set of resources so this is really going to be all about that better compatibility if you go and look at the feature comparison document it's going to walk through those so if you see a question like hey we're moving a database which solution and you see azure sql database and azure sql mi we'll look for some of these key features and look for the kind of nose for azure sql database and yes it's for azure sql managed instance i think some of the biggest ones that i've seen is things that is common language runtime cross database transactions notice you have things like the agent as well so just take a look and i'll put all these links in the description below in this video but understand some of the differences between them but really it's going to come down to compatibility hey i'm using this thing so this sql server agent is a big one what are you needing and then that's probably why i would use azure sql mi if all things equal hey i'd rather use azure sql database but if i have some compact requirement it used to be this might be because it was in the v-net as well but with private endpoints i can still get injection directly into the virtual network of course i still have the option for sql running in an is virtual machine just a regular vm and even with that that's obviously the highest compatibility it's sql server running in a vm but now you're managing that whole thing i'm patching i'm backing up but there are actually features to help you there's a sequel server is agent extension and it's free what that actually does it helps me track licensing but it also gives me automated backup automated patching and a whole bunch more so there that is available for me there's a sequel data migration assistant at dma tool that can help me migrate on-premises sql up to those various azure solutions when i think about scaling of any of these a lot of the times i can scale up um i get a bigger skew a lot of these don't really scale out very well because it's a single master model now what i can do depending on my requirement if it's read access i'm trying to scale out hey i can add read replicas that might be a solution and i can do that for the premium skus for the business critical skus and azure sql database and managed instance both have this automatically provisioned read replicas so that can help scale outwards by now i can go to different instances for my read purposes if i have an elastic pool remember it's a group of resources shared by multiple databases so then i do actually get some wiggle room in the resource i can consume because i'm sharing that resource with other databases sometimes i can use more sometimes i can use less hyperscale obviously shards the data out so i have this huge scaling this way and it's going to automatically provision those page servers based on capacity performance and i can also get readout scale if i provision at least one secondary replica and there are tools i can manually shard so there's azure elastic database tools so i could do the sharding myself when i think about data security on these solutions at a database so again we come to security there's different aspects of security i actually have to think about a big one is well what is the data so i have to classify the data itself now there's different tools to do that but is it public data is it confidential is it restricted this thing's like data discovery and classification solutions built into sql server things like azure purview that will actually go and look at your data it can give my complete data lineage there's things i can do to classify and once i classify it i can apply different things to it i can think about security when it's at rest for the azure sql database there's transparent data encryption tde so that's just always encrypted if i think about in transit well once again i have encryption on the connection azure sql mi is running in the v-net regulation sql database can have private endpoints so it's a restricted connection to them and i can restrict to only those so i have that capability and if i think about in use there's two different ways of thinking about the security the encryption in use there's the idea of hiding data from the end user so think of a social security number so there's dynamic data masking this allows me to basically write a function that hey if the data this is this classification hide all of it except last four characters that'll be useful for a social security number so it's not encrypting it differently but when i try and view the data if i don't have the right permissions i see the masked version of the data i can't see all of it and then we also have the idea of always encrypted so always encrypted well this is using client-side encryption so even if i'm the dba that data is just encrypted there's nothing i can do it's completely encrypted away as the dba admin i can't do anything about that there are other types of sql solutions so there's azure sql edge so azure sql edge is really optimized for internet of things internet of things is all about this idea that hey there's chips and everything and they they tend to generate these huge streams of information maybe it's a sensor for example and so the whole point of azure sql edge is it's very lightweight and by light weight i'm really talking about it's less than a 500 megabyte memory footprint so i can think about these constant streams of data so this could be used so there's some streaming engine locally to stream into this thing then that could be used by some separate business logic process to actually do analysis maybe machine learning solutions there's two versions of this there's a developer option which is like four cores and 32 gigabytes of memory and the regular production which is eight cores and 64 gigabytes of memory it can run in both a connected mode where it will pull it down from the marketplace or a disconnected mode i go and grab a docker image this is a linux containerized version of sql and that's where we are finally we have the whole idea about like the semi-structured uh data this is when we talk about typically documents json xml whatever that might be a typical solution there's a very easy basic version i think about azure storage accounts there is a fourth type so there's blobs queues files then there's tables so this there is tables so tables gives me this very simple key value type store table is fantastic for that it's very very basic though but if i just have a very simple requirement that may meet that the bigger rich solution is cosmos db this was a born in the cloud database it has things like oh well like multi-region so i can say hey i want this available in multiple regions it has different consistency models so to support the multiple regions what i can actually do is i can say well what is the consistency model i need is it a strong consistency is it a session consistency all the way through to eventual so i can pick the consistency model so i could have maybe an active active solution i design and it will eventually get consistent which is good enough i just need it consistent at a particular location from a session maybe it's a shopping cart or something and as long as it eventually gets consistent in the other regions that's good enough it does have a table api api so it is compatible with regular table storage there's prod and non-prod account types there's provision throughput where i get a certain amount of request units and if i go past that i'll get throttled down or there is auto now provisioning capabilities i pay a little bit more but now i get the request units up to some max i specify for what i need a key point about this is it does support various types of apis and types of storage so an obvious one is the document those json documents i talked about so here hey from an api perspective i might be using sql i might be using kind of db when i'm working with the document type data then i can use things like cassandra for the columnar so i'm actually storing the data in the columns which is very efficient if that's how i want to entrap the data it does have kind of the table type api the xcd the key values it has gremlin if it's graph so the relationship between nodes etc there's a cosmos db data migration tool to migrate data into cosmos from other types of solutions and so i have all these different options available to me and of course i kind of focused on sql db but there are azure database for postgres azure database for my sequel azure database for mariadb there's a managed cassandra offering now so there's all these different types of service that are available in the environment and then when i have all of these different types of solutions or often we're not making data out of thin out there's there's data somewhere already i have the idea that well i have data sources so i have some source for my data and i need to do something to it and then get it to some kind of sync some end storage service could be a single database it could be a sql warehouse i might synapse it could be cosmos db so i need something to drive that process through so what we have is azure data factory you can see everyone needs to start a new whiteboard um they're they're rolling this whiteboard back thank goodness because really the performance this is terrible so actually a factory does a number of different things it's an extract load solution i get the data out of somewhere change it in some way and then load it into something else sometimes you'll actually see an elt extract it load it somewhere and then transform it it's a data integration solution but the big deal here is it's an orchestrator it's doing that orchestration that is the key power of this so i can have all of these different sources there's like 90 plus built-in connectors and obviously there's a whole number of syncs it can talk to but what i'm going to do is create a pipeline and what my pipeline is going to do is i have these integration runtimes that is azure hosted integration runtimes where it's obviously hosted in azure and i can integrate with azure based services there's basic things i can do some simple data transformations natively in data factory itself but then i can also for these integration runtime yes there's azure but there's also self-hosted so imagine i had the idea where i have some data source on-prem and i need to feed that into azure data factory i don't want to open up a firewall port so as you can talk to my on-prem so i would have a self-hosted integration runtime on premises that would feed the data in and could execute the actions given to me by the orchestrator that could then go and feed into the other things it might hook into azure data bricks it might hook into hadoop transform the data and then send it to whatever that target service actually is so a pipeline is just a set of activities that perform a task um an activity to ingest the data to transform the data again using data bricks which is apache spark hd insight azure functions whatever i want to do again little basic transformations i can do natively here but this brings that complete story together i want to get the data in from somewhere it could be a crm system for example or multiple systems i may then actually load it directly i put in a data lake straight away i'm going to talk about that in a second then i want to transform it into a structure a format that is then useful for analysis so i'll use those data bricks i'll use that hdinsight to convert it map reduce functions to then store it into maybe a sql database or something else that i can actually then do something with so that's the whole point if i'm saying hey i want to be able to get data from somewhere put it somewhere else and do this transformation it's probably azure data factory that's that's going to be what we do now i talked about the idea of azure data lake so a key point here is in the old days when storage was really expensive and scarce we would extract the data we'd have to transform it straight away to get to a much smaller amount of data so we only had what we needed to do the analysis because storing it was really expensive it's really not the case anymore now we might want to just store the data almost straight away in its native raw format we have the whole idea of a data lake and the benefit of the data lake is now if i'm not 100 sure of what i might want to do with the data in the future as soon as it reads this in well i can kind of go and store it in the data lake then i can transform it whatever i want to do if in the future i have a new set of analysis i want to perform requirements i need i can go back to the data lake that has the raw format and transform it a different way to get some different insights into that data so this is adls azure data lake storage gen 2 and it is absolutely built on top of blob what it adds is kind of that hierarchical name space so i have true folders it adds things like posix style axles i'm drawing stone style because this is just falling apart now but it supports things like hadoop hdfs in terms of the interactions so that's a key point around that i mentioned databricks so data breaks is a managed offering of databricks which is built on apache spark i can use sql java python it's really for big data processing and analytics so if i need to perform some job like that hey data bricks which i could call from here or directly is fantastic for that there's also things like azure synapse analytics so azure synapse analytics is a solution and really what it comprises of is a set of other solutions but it brings them all together it brings them together from a ui perspective it uses things like azure data factory for analysis it has its own apache spark capabilities for data processing the synapse spark pool it has a synapse sql pool dedicated and serverless offerings it has a synapse link so i can go and talk to cosmos db and it has its own ide trying to think what else just in terms of regular data ingestion you might hear the idea of a hot path or cool path um i have different types of data coming into my system if i think about warm so with a warm path there's some data coming in that i need to get information about it pretty quick so i can get some insight out of it so that would be a warm so as date was flowing through near real time i want to do something and store that data maybe i want to start an actual database or cosmos db azure stream analytics would be good for that i have a cold path so a cold path is historical data i want to analyze past data now i might also need to merge it for one path which which i can do that azure data factory would be fantastic for that there might be a hot path a hot path is real-time analysis it could be very latency sensitive maybe it's looking at sensors and detecting hey a failure of some kind i need to do that instantly so a hot path would be very useful for doing that i mentioned azure stream analytics so this is a fully build based on the cpu the memory i'm consuming it's just designed for hey if i have that idea that i have some maybe sensor it could be iot and i'm streaming in that data or that azure stream analytics i'm just going to write stream because this board is failing miserably that stream analytics will take that data in and it will do the event processing for that data coming in so i can actually get insights out of it so that's all about the azure stream analytics and it could then send it to blob to sql to cosmos db to azure synapse analytics for data warehouse if you send it power bi for data visualization i could trigger an azure function for some serverless compute but it's all about hey i need to perform something on this constant stream of data coming in so that's when we think about the data solutions part these different types of data again what are the requirements and then if there's multiple solutions what's the right way to solve it in the most kind of cost optimal way that meets those requirements so that's the key point for there so the last kind of main module before we go to the well architected framework which brings a lot of these things together is the design infrastructure solutions in azure there is a huge range of compute solutions available and the best way to really think about the one we choose is a lot about the responsibility is it my responsibility as the customer or is it azure's responsibility as the provider of the service and we always draw this idea of layers so i can think about well there's the network there's storage there's the servers themselves the compute there's some type of virtualizations there's a hypervisor and then we get the operating system running inside typically whatever that construct is we might say a virtual machine but even things like aks and app services they build on virtual machines there's an operating system there might be a runtime like net or j2e some middleware solution then the actual app and the data the thing we really care about at the end of the day that's what brings business value that differentiates us from someone else if i think about those components for an on-premises solution so on premises who's responsible i mean it's me i am responsible for every single component of that i might have different teams in my company but it's me as i start to move to the cloud we often start with the idea of infrastructure as a service a vm in the cloud and we have this kind of delineation that starts there for ies so now the provider of the service they're responsible for the physical fabric they're responsible for the hypervisor what i get is a vm in the cloud so i'm responsible for the operating system the app the run times all of those things i don't have to worry about the physical fabric anymore so i get the most flexibility up here but i have the most responsibility now even when we talk about things like virtual machines as we'll see there are things to help me there are extensions there are agents that help me do parts of that job but i am responsible for turning those right things on for doing that then we move into platform as a service now platform as a service that line now moves all the way up to there the only part i'm responsible now is my app and my data now the cloud provider is responsible for all of those other things there are still vms there it's not doesn't magically run on thin air for most of the time but i'm not responsible for that saying else is managing the operating system patching it it's security that is not my problem i just focus on my app and my data that drives that business value then there is also software as a service software as a service i don't do anything i'm not installing sharepoint or exchange or like office 365 will be a good example of that so those are the responsibility shifts we basically see now they have a whole bunch of different solutions we're going to kind of draw those into here but when i'm thinking about which one should i use like most of the times we want to do as little work as possible so if there is something that can kind of do the job for me i want to use that so on the architecture site there's a decision tree and it really boils down we kind of look into this as well okay am i starting am i migrating or am i building new if i'm migrating is it lift and shift can it be containerized well i'm probably going to end up with a vm or maybe i can put it in azure app service if it's like a basic website for example if i'm building new well if i require full control it's saying use a vm if it's not is it a high performance cloud workload why use azure batch is it a microservice is it event driven i.e serverless with short live processes azure functions do i need a full-fledged orchestration for my container environment no i can use aci yes well then there are different options for this rich containerized environment it could be aks it could be azure service fabric there's all these different options and it goes through how to think about actually picking those so we have different options of compute available to us now i'm going to start with the most basic one so if we start from kind of the beginning that most fundamental level we think about a virtual machine so virtual machine really is kind of that building block of what is infrastructure as a service now even with virtual machines we're going to talk about this in the next module i have to think about it's a consumption based service i pay for the second it's provisioned it's deployed to a particular host there are different sizes available there's a huge number of different sizes available based on the shape of my virtual machine and by shape what we're really going to talk about is the idea that well there's memory there's cpu there's storage performance as network performance and so then there's a whole bunch of different vm sizes based around those different ratios of kind of cpu to memory so i could see for example with compute optimized a typical ratio here is kind of that one to two for every one cpu i get two gigs of memory so that's compute optimized if i look at general purpose well a general purpose one it's a bit more balanced it's one to four i see that ratio if it's memory optimized well as you would expect now oh that means to click that if i click memory optimized well now it's one to eight also along with that we see things like amount of temporary storage we might see performance changes as well so the bigger the vm typically the bigger the other constructs and the other attributes of that vm will grow as well so we have those different options so we need to understand load so we can pick the right type of virtual machine and again we're going to go into detail when we think about optimization so we have basically virtual machines then there's things like batch a batch is just a pool of compute resources being built on virtual machines for this large-scale parallel workloads for high performance computing i can create a job so i think about batch over here and that job it might actually use thousands of virtual machines it's going to scale to they could be windows or linux and i just configure the app that i want to be used as part of that i run the job which consists of those various tasks there are things like virtual machine scale sets so with virtual machine scale set it's built on virtual machines but now what i'm saying is hey i've just got n number of this particular resource this website of this processing whatever and it will go and create the virtual machines it can auto scale based on maybe a schedule based on some trigger like a metric threshold is crossed and it will delete them so you can create delete create delete as my variations vary which is the key point the cloud it's consumption based i want to make that whole allocation match the demand of the actual app so virtual machine scale sets will create and remove delete the vms including the storage so i'm optimizing that cost as well as i'm going along then there are things like app services so i might draw app service kind of up here app services are great for http based workloads this could be a web application it could be a restful api it could be a mobile back end i can use a variety of languages and runtimes i can use windows i can use linux there are different skus that have different features different scale capabilities some of them have auto scale some of them have deployment slots so i could have a production deployment slot a pre-production where i can warm up the code they're going to share the same set of resources in the same app service plan but it allows me to switch over failover quite nicely they can have high availability i can also deploy them via pipelines they have their own built-in authentication capabilities i can hook into like an open id connect solution so all these different options available so those web applications for basic asp.net java node.js type apps i have web jobs which are just running some background program or script we have mobile apps this could be a back end for an ios for an android app it has built-in capabilities to help with things like push notifications so web apps are fantastic for that we have things like azure container instances so hey i have a container workload i don't need a full orchestrator i don't need auto scaling i have a couple of containers i want to push out super simply maybe i have a couple of need to talk to each other so i can actually create this concept of a container group that contain a group contains multiple azure container instances they can then talk to each other they can share a set of azure files for persistent storage it's a per second billing there's various skus again windows or linux different sizes but it's a very simple hey there's this image deploy this i need that but then you get things like azure kubernetes service this is a full kubernetes managed environment the full rich orchestration deployment yamls different types of networking and policy it has the control plane fully managed for me then i have the nodes that actually run the pods and a pod contains a particular container instance so if i need a full rich kubernetes environment aks is a great option because i don't really have to worry about the kubernetes with aks i get auto scale we get the idea of scaling the pods so the instances of some microservice as a horizontal pod auto scaler based on some maybe metric of the pod and i can even scale out the actual nodes running the pods this thing called the cluster auto scaler so based on the scheduler's ability to actually put pods there i it's trying to scan out but the nodes are full the scheduler says hey i'm trying to schedule this part and i can't hey we should go and add another node that i can run pods on which is built on virtual machine scale sets so you see this kind of commonality and then we get into serverless all of these i'm still really paying for some back end workload i'm still paying for some vm size that's running for a certain duration and what i might want to do is i don't want that at all i just actually want pay for the cpu cycles i'm actually using when it's triggered it's some triggered event driven solution so one of the solutions here is azure functions generally they're short-lived but i can have state-based withdrawal functions so it can trigger certain things it could fan out it could wait for some kind of interaction i can actually run that in a pure consumption plan so i just pay for the resources i'm using or i can actually run functions inside an app service plan and use its resources or have a dedicated set of resources but this is going to be triggered it's event driven there's a rest api there's a blob has been created event grid which we'll talk about can call azure functions when it sees something else but i have a trigger and i can bind to other inputs and bind to outputs there's a whole number of different bindings it can do there's also logic apps so logic apps have brought more around the idea that i have some this is code i'm writing code for functions this is a nice graphical designer that hey based on this happening we'll drag a little box and create this now call this now crew call this and this might be easier if we just kind of go and look at one of these so if i quickly look at my logic apps if i go to my logic apps designer we notice it's this little graph i'm not writing code i'm just dragging the things i want to do but there are templates and here hey look when a message is received on a service plus queue when a tweet is posted so there's all these different things i can do and it's showing me the different connectors huge number of connectors are available that i have available so in this nice little graphical view of things i i can trigger these things to actually run so there are other services there are other things available to me but there are some of the kind of key ones we typically focus on now when i think about my application architecture i might have a mixture of these things the point is we try and go as far upwards as we can if there's a sas solution available i'm going to use that if i can use serverless i'm going to use that again meet the requirement in the most cost optimal way serverless is generally going to be the most cost optimal way and i move kind of down as i need to a vm is the most flexibility but again there's the most work and responsibility involved uh ideally i want to focus on this data and the app that provides business value i don't want to be managing virtual machines if i can get over it so we try and get as far up there as we actually can so most of the time our applications modern architecture is about removed from this big monolithic thing this one block of code that had very tight couplings between different functions do we have the whole idea of these more distributed loosely coupled microservices things that have a certain very specific function but obviously they still have to be able to communicate and call each other now to do that very loose coupling there's different ways we can do that the ultimate decoupling is maybe i have an event or a message kind of to trigger between them so i have the idea of an event or i have the idea of a message and it's possible i would use absolutely i could have a combination of these so when i think about an event an event is a lightweight notification something is generating an event it's maybe a notification of a state change of something something has happened our your blog file got created it doesn't contain the blob file which just let you know how your blog file got created and there's no maybe expectation of saying is going to happen with this there could be multiple subscribers there's no the publisher has no expectation of what's going to really happen next that's different from a message so with a message it's the actual data i'm containing actual data and when i think about this the publisher of that message has an expectation that the consumer of that message is going to do something there's some expected next step that's actually going to happen now if i think about solutions for events so we have event hub so event hub is about large-scale real-time data ingestion remember the monitoring we could use event hub same could publish the events to the event hub and then multiple things could subscribe to it this could be data streamed in it's a pool model so something is publishing to the event hub and then something else subscribes and pulls those events off it doesn't delete it so it could be read by something else so this is the whole idea of hey um i have this event hub then there's also event grid now event grid is really focused on the idea that i have something generating events lots of things can generate events and so i can have the idea of there's some event generated and i want something to actually respond to it so there's this idea of a source of the event and i want something to handle it so i have the whole idea of handlers this could be like azure functions something that is event driven now in the past a lot of the way these had to work is it was a hammer pole hey have you done something have you done something have you done sync i don't want to do that so event grid sits in the middle the whole point of event grid is it understands a whole bunch of different types of things that can generate events then i can register the handlers with event grid so event grid does the work of seeing the event and then calling the handler now there's a huge number of different things that this can actually work with so if we look at the documentation for a second notice this idea of the event sources blob resource group subscriptions so hey something gets created iot hub maps i mean there's a whole bunch of these and then it can have event handlers typically serverless azure functions logic app a service bun bus event hub so realize i said they could work together event grid might then trigger pushing it to event hub because then maybe something else is going to do something with that it could call an azure automation so you have this really great capability now of regardless of what is generating that event maybe almost anything that is event driven can actually be on the other side of that from a messaging solution remember the storage account well we had the idea of those azure queues that is a very very simple basic solution it's a simple first in first out that's really what that is going to give me a richer solution is the azure service bus now the azure service bus can actually run in different ways there's an enterprise solution it has basic cues if i do just want that regular first in first out which is kind of a one-to-one expectation but it also has the idea of topics so with topics i can have subscribers to that topic and what it will actually do is it will create a copy of the message for each of the subscribers so they can then go and read it and perform um some action on that so that that's a nice capability we can actually hook in and do something with that there's also caching solutions it might be that the back end data store for whatever i'm doing is not as quick as what we're trying to do things so we have to cache it they were in memory caches like redis cache is very popular in memory cache there's azure redis cache a managed offering of that that could cache things for things like azure database cosmos db i could use it as a content cache for static content i could use it as a data cache session storage basic queuing there's a whole bunch of different things i can do with that in-memory cache but it can act as that buffer for some other type of storage some of the things we might be offering up here is an api now when i think about an api i may not want to just directly offer that out to whatever that end consumer is so i might have multiple apis being offered from my service so in my environment i might have a whole bunch of different things that provide an api and i have a whole bunch of different consumers that want to consume those apis well what i can put in the middle of these is actually the azure api management so the azure api management in a provides a point that i can offer out and then it will redirect to whatever is actually providing that api it has the ability to hook into its own kind of authentication schemes so a good example here is maybe i want to bring something that doesn't integrate with azure id it has its own authentication or authorization like i wolf 2 i can actually integrate this with like a third award 2 system it's secure it has its own kind of encryption it's providing that gateway that security for me so it gives me a lot of those nice capabilities to actually provide those services outside to other people so i have my compute i have how they talk to each other well yeah talk to each other in terms of maybe a rest api or something else but what about from a networking perspective so the next big area we have is the network itself and networking is if you know me you know networking is probably my favorite thing so networking identity they're my favorite things so i have the idea of a virtual network remember a virtual network is one or more ipv4 sider ranges and optionally i can have ipv6 as well so i can have multiple of those cider range would be like the 10.0.0 or something so i have a certain cider range for this virtual network a key rule is you never overlap those cider ranges so be it if it's another virtual network that i want to be able to connect it to be it a network on premises that i might want to be able to connect it to they have to use different sider ranges so this would be a different range that does not overlap in any way with each other because if they overlap i can't route it breaks things so if you ever see questions about picking subnets make sure they're not overlapping so if this is a certain ip range or if this is a certain ip range you have to pick an ip range for this make sure it doesn't overlap remember we break our virtual networks down into subnets and the subnet is a portion of that ip range any subnet we create we always lose five ip addresses remember it's always kind of the all zeroes for net or ones for the broadcast and then uh one for the gateway and two for dns purposes you always lose five so think about the sizing of them when i think about it's very common to do a slash 24 because it's just easy for our brains so if you have a certain number of vms you have to resources you want to run in a subnet well how many is it and then you can work out what is the subnet mask if it's a 24 it's roughly 250 resources i can run in that thing if i'm doing like gateways like an express route or a site-to-site vpn the minimum size is a slash 29 but they generally recommend a 27 because you may want to run express route and a site to site so it has to be a slash 27. so from a gateway subnet generally you want a slash 27 but the minimum could be a 29 so you're going to think about those in terms of that connections we have options remember so one option could be a kind of site-to-site vpn so it's going over the internet or i can have a private connection where that's express route so express route private peering is a private connection from your network to the azure backbone and then private peering lets me then map it to a particular virtual network via a gateway i could have expressware and site to site vpn where the site site vpn would act as the failover for the express route express route is not encrypted because it's a private connection if you needed it encrypted end-to-end i could actually run the site site vpn over the expressroute private peering so that is an option if i have to do that it's very common if i have multiple v-nets what i can do is well i can peer them so if i appear that can be in the same region i can do cross region peering so now they can directly talk i'm using again that that azure backbone capability i could also have features like hey use remote gateway and allow gateway transit so this v-net basically bespokes can use the connectivity of that main hub virtual network and be able to travel across that site-side vpn or that express route private peering if i want to segregate limit the communications well to limit things we can do network security groups so network security group remember is a series of rules generally based around the source ip port destination ippo protocol and do i allow it or not and then i can link the nsg to particular subnets where it would then enforce the flow of communication so i can use an nsg i could also use like azure firewall and or third-party network virtual appliances to control traffic if i did something like an azure firewall obviously i have to make sure traffic flows through it the way i can make traffic change from the default routes is i can create user defined routes so user-defined route says hey when i'm going to this particular ip range this is now my next hop instead of what the default so my next top would actually be for example azure firewall so i could say hey when you want to go somewhere or you're actually not going to hop by the azure firewall that could control that next flow so user defined routes let me alter the flow of traffic to go via something else if i want to control access to services we talked before about the idea of service endpoints and private endpoints if i had a storage account or it could be a sql database just giving an example if i want to control which resources can talk to it remember storage accounts sql they have their own kind of firewalls but a virtual network is typically an rfc 1918 i a non-routable ip space what i can do is i can actually turn on something called a service endpoint at a subnet level and i can say i want to turn that on for and i can even do a particular region what that lets me now do is add an instance of that storage type on its firewall i could actually say hey let's say a subnet one two three four i'm gonna say subnet 2 i'm going to let through so a service endpoint does two things it gives me an optimal route to the service and it lets me restrict to only that subnet or things in that subnet it's about to talk to it but it's only things in the subnet it does not apply to other things on the v-net or on-premises it doesn't work that way my other option to control access to services would actually be hey let's say i've got a different storage account storage account two this time we'll create a private endpoint so private endpoint is just an ip address from that subnet and it points to a particular instance of a service and it bypasses any firewall so i could completely block that from its public ip now and only let it access that private endpoint ip this is an ip address from this ip range well i could now get to it from peered fingernets i could get to it even from on premises it's just an ip address there is some special dns requirements because it has to be able to resolve the public name in azure i can use azure private dns zones if i was on premises i'd have to maybe create the private link zones for the particular service or have it forward to a dns folder that can talk to azure dns to manage that for me if i have virtual machines and i want to be able to rdp or ssh to them never just open it up to the internet there's a service called azure bastion azure bastian provides a managed jump box that through the portal i can connect to my instances in the v-net of the bastion or peered or even now on-premises ones as well if i want to control access remember that conditional access we talked about or azure bastion is via the portal the portal is controlled by that microsoft azure management so i could lock it down through there and there's azure virtual wan which is basically a managed hub i don't manage gateways or peering things anymore it provides a black box managed solution so i don't have to care about those things anymore and i guess the final part of all of this would really be migration now when i think about migration the key point here is i have to understand what we have and there's a element of what do we want what is our corporate direction so i need to know where i'm coming from i need to understand where i want to go because then i can drive what should be my desired architecture because what we have to what we want well that that's our migration so i have to have quality knowledge about what we have i have to from what we have well what are the dependencies what is the usage are the peaks the trough seasonality i need to know all of those things what are kind of the slas requires what is the ha and the dr requirements i need to understand all of those things so i can architect the right solution now there's a whole cloud adoption framework that has multiple steps i have a whole video again it's linked in the playlist for this az305 study about this but when i think about migration there's kind of four models to this now there's steps what is my strategy my planning getting ready migrating innovating and then obviously governing and migrating the actual resources but i think there's four key types of actual migration there's rehost rehost is the simplest you can think lift and shift rehost is hey it's running in this i'm going to stick it in i as virtual machines there might be some minimal modifications but really not really really i'm taking what it is now and i'm just running it in the cloud then we have refactor refactor again is i'm not changing the app code but maybe i can move it from a sql server running in isbn or postgres running in a vm to azure sequel database or i sequel mi or maybe azure database from my sequel or mariadb or postgres sql so i'm moving up some maybe i can even move it an app service or i can run it in a container not changing the app code i'm just refactoring how i'm running the thing there might be re-architect i am doing some code changes maybe i'm now modifying the app and moving to microservices so i can use more cloud native types of service for this and then we actually have rebuild i'm starting from scratch i'm looking at my requirements i'm designing it for cloud native solutions managed databases azure functions all of those great things that's going to get us the most now this is going to give us the best most cloud native solution but it's the most work when i talk about those what we have and what we want remember what we want will also include things like time scales it will include how much i'm willing to spend on the migration and then there's a balance well there's the cost to migrate and then the cost of running it maybe i can spend more money in the migration then i'll save more money when it's running so over years it's actually cheaper to spend a bit more money and maybe refactor or re-architect and just yes it's the cheapest option to just re-host but overall it's gonna it's gonna cost me more money there are lots of different tools so there's the azure migrate solution this is the overall solution that can do assessment it can help you with the planning it can help you the migration across a whole bunch of different workloads vms databases web apps putting things in containers i talked about the database database migration assistant for sql and there's the azure database migration service that can migrate to different types of database like sql and cosmos db and ax azure database for mysql azure database for postgres both online and offline there's a cosmos db data migration tool when i'm trying to understand that dependency between components this thing's like service map service map goes and looks at what are the network communication calls between different components and then can work out well based on this port this protocol that's a sql database or it's using active directory it can go and work out those dependencies for you so as i plan my migration i don't forget something oh i forgot about that bit well now that's traveling over an express route link with 30 milliseconds latency i wonder why my application is now so poor that's a key point in my architecture and we'll talk about this in a second with the well architected framework latency is huge when i talk about migrating things i can't generally leave one part on-prem and move the other part to the cloud because suddenly i'm moving from sub millisecond latency between components to 30 milliseconds or 40 milliseconds and it's a sad day for everyone so those are some of the key points we identify what's the right type of service we want based on meeting the requirements with ideally the least amount of responsibility for us as the customer different types of servicing events hey it's a lightweight notification that doesn't contain the data but maybe it's a reference to hey there's an event a blob is created here's the blob name then i could go and grab it whereas a message is the actual data we think about securing from a networking perspective and the types of interactions we can have and obviously that migration as well now for this final part we're going to talk about the well architected framework this is not one of the components and the set of skills that are measured in the layout but it is a huge part of the learning plan that's actually part of the az305 site because what we've talked about so far are really different components of our architecture what the technologies are and what the capabilities are but from an architecture perspective there are really some key pillars that i always have to think about that drives which components i might pick how i put them together and those really apply across so the whole point of the well architected framework this is not rocket science it's just a way to think about of what are those considerations that i'm bearing in mind as i architect my solution that gets me the best overall architecture so there's five pillars to this now the first pillar is all about let's do this in green because this first pillar is all about cost optimization now when i think of cost optimization i want to ensure well azure is consumption based i want to make sure the resources i have are the right ones and the right number based on the load i have coming in that's really my key consideration for this so we can always think about well we have a certain amount of resource i want to make it match whatever my demand is whatever the load on the system is i don't want a whole bunch of spare capacity available i'm just wasting money so a key tenant is i want to eliminate waste now remember that elimination of waste could be in terms of number of instances i have the size maybe the tier so again whenever i'm seeing these questions about which solution or which number or which size think about what's the one that actually meets the requirement now ordinarily on premises we think a lot about will we buy some asset and we depreciate it over a certain amount of time so there's this whole idea of capital expenditure capex in the cloud well it's operational expense we're not buying some piece of equipment we pay for the services as we use them now a huge benefit of this consumption nature of the cloud is i can respond to many different types of scenario i can have these unexpected peaks i can have this fast growth i can have this on off type pattern there's a whole number of scenarios i can react to because i only pay for what i'm using now i obviously need to make sure to make these things work to architect in the right way i always need insight now that insight into my resource comes from many different places we talked about monitoring all that monitoring those metrics that gives us a key insight it could be logs as well certain types of events say hey we're running out of something but maybe i feed that into that log analytics workspace and then i can run insights on top of that to get ideas about what i actually need so when i think about insights to architect my right solution remember those insights here in terms of what are my business requirements what are my technical requirements i need to understand those things and i need to understand once it's up and running well how is it running i need to always be able to answer those questions to help me architect the right solution and then make sure it's as efficient as it possibly is i talked about virtual machines and i showed you the page where there's like compute optimized and memory optimized and general purpose there's special ones with great storage and gpus what it really boils down to though if i'm trying to eliminate waste and making that resource match the actual demand i do think about well there's a certain shape i think i try and stick to green there's a shape and i've got a whole video again that's in the playlist that talks about this but there's a shape of my work and i want to make the shape of my resource match the shape of my work in terms of their dimensions about cpu dimensions of memory dimensions of storage iops and throughput and i've run out dimensions obviously network would be one of these as well maybe i have special purpose requirements like gpus like really high performance networking adapters but i want to make sure i pick the right sku so the right sku equals the right shape so it has the right ratios of cpu to memory to storage to match the load coming in so if i monitored my work light those insights and i saw well the cpu is running at 80 but the memory is running at 20 percent there's probably a better skew that has a better ratio of cpu to memory that matches my actual need so the right skew is the right shape and i want to make sure i have the right size because again they kind of scale up linearly so once i've got the shape right i want to pick to make sure i have the right size of it bearing in mind i probably want n instances i generally don't want one really big instance i want multiple instances so i can create and delete as that fluctuation may happen in the actual demand so i want to be able to auto scale the number of i have to match what's actually happening is that auto scale is a key point when i think about optimization and eliminating waste in addition to getting the right skew the right size i want to make sure i'm stopping i'm de-allocating maybe even i'm deleting when it's not required if i have these n instances i'll make sure i'm actually deallocating them so i'm not paying that compute charge anymore when i don't actually need it that's a key point now if i just de-allocate a vm remember that vm also has a disk hanging off of it unless i'm using ephemeral storage which is where it's using that temporary or cache area of the host i sort of manage this that's costing me money whereas if i actually delete them which things like vm scale sets lets me do it deletes all of that so i'm not even paying for that anymore so this is where great features like the virtual machine scale sets can help me do that and remember what we saw in the list of compute is that aks sit on top of vmss to give me those capabilities so that de-allocate is great but still be paying for the disk whereas delete the disk goes away as well so right sizing is really important but it's more than just remember the vm remember as we talked about on the storage side okay the right skew the right size maybe it's the right tier if i'm thinking about storage hot cool archive premium make sure you're picking the right things make sure the users understand these things so they can pick the right service now when i'm trying to think about actually what is something going to cost me remember the whole point of this is i'm going to end up with some architecture so i've got this insight what this insight is going to lead me to ultimately is an architecture of my solution so i'm going to come up with hey this is what it's going to look like in the cloud once i have the architecture and i understand the requirements i understand the load well i can also then understand what it's going to cost me so to work out those dollars well we have the pricing calculator the pricing calculator is going to let me say these are the resources i'm going to use and then based on that it will show me the cost so i can go and put in different types of resource i've got things like virtual machines in here remember it doesn't have to be running 24 7. so when you're trying to work out the cost don't just assume oh i've got six running 730 hours if you have scaling then maybe some of them are running for six seven thirty hours some of them are running for 20 hours you would build that in as part of that overall total solution so that really is kind of a key point to that so that helps me work out what the price is going to be now how do i control that cost so how do i control those dollars well obviously we have things like azure policy we talked about governance that controls what i can actually create hey i'm not going to let you create premium storage accounts in development hey you're not going to be able to use a an m series or these big vms in development so that's kind of what and where and then i can use things like budgets budgets let me again control well how much and those budgets i can apply at those same constructs we saw the management group the subscription the resource groups a budget can be based on how much you've spent so far a budget can be based on the forecast so based on where it's seeing you trending hey if it looks like the budget's going to hit 110 percent well let's do something now to try and fix that so i don't go to there so insight is a key component i need to make sure i understand what is being used and to get that insight that seems like cost analysis cost analysis lets me go in and look at different levels and work out where am i spending it or maybe i forgot to turn sync off or oh log analytics is costing more than i realize maybe i'm keeping it longer than i actually need it remember though there's also the total cost of ownership you may just look at a component and say oh it's costing me x but maybe you're saving a bunch of money somewhere else like if it's a managed database solution like azure sql database you might say oh it's costing me more than a regular vm maybe but remember what are you now responsible for what is my total responsibility so you have to consider what am i doing because it may cost a couple of dollars more but maybe what's now happening is i have a lot less responsibilities so i'm saving a lot of money in other ways now another way to be very optimal is yes we pick the right skew we pick the right shape the right size the right number of instances and again we always think ideally here about that vmss because that ads gives me things like auto scale that's where i have some discrete resources dedicated to me but another option i can try and do is things like serverless if i can i would like something event driven hey i get charged for the resource i use be it function via a logic app that helps me be super super efficient and sometimes i can't use those i i just need to use virtual machines but even here there are things i can do to optimize my cost so yes the right sku the right size the right number of instances but what about if i have some workload that i need a bunch of resource but it's not time critical maybe it can survive being stopped because someone else needs it but i'm willing to pay a lot less money well we have things like spot vms there's again a deep dive video on this spot vms i only i pay a lot less for the cost but if someone comes along is willing to just do regular on-demand capacity they're going to boot me off but i might pay a tiny fraction of what that normal resource would cost so this is a way to really save money another way is if i think about this auto scale across my entire environment i might think about well my actual resource consumption kind of does this whatever that might be but there is this base floor that i've always got always that amount of resource running i know i'm going to need that for the foreseeable future so that's where we have things like reserved instances azure reservations and we saw that on the pricing calculator so one of the things that lets us do is hey look i can actually go and get a great big discount if i want to go and purchase a reservation there's certain flexibility in the exact types of resource like there's families so i can have different sizes within that particular sku but if i know for the next three years i need this family of resource well i can get a huge 61 discount there's additional savings if i use things like azure hybrid benefit that's where i'm bringing my existing license to be used as part of the solution so that's something else i can do to really save money on there so there's lots of things i can do to help out and optimize my cost so from cost optimization if i know that floor hey an ri would save me a bunch of money on that so this all up sort of cost optimization that's that's a huge component of what we kind of do so the next pillar is all about operational excellence so now we'll draw another pillar and for operation accents we'll use blue there we go operational excellence i.e i don't want to be manually clicking a button or manually managing things where i really don't need to be i want to try and optimize separate those sections out so operational excellence modern practices things like devops they're all about enabling faster development constantly delivering these small incremental units of business value i have insight into the constant stream of what's going on so i think operational excellence we can start with things like well devops now i have a whole master class on devops and i recommend you go through that um before this there's not a huge number of i wouldn't expect questions on this this is more about practices of what you're gonna do because when i think about devops devops is all about this pipeline of that continuous integration people bringing their code together from some um get type version control system and i'll draw this out in a second it's about continually building it finding errors early and often and then maybe even continuously deploying it now as part of that if i want to automatically deploy things i don't want to be clicking things in the portal so one of the huge things devops is this idea of infrastructure as code i am describing my infrastructure in a declarative way now this differs from imperative so we also have imperative imperative is where i say how to do something so imperative would be how i'm using powershell i'm using the azure cli i'm saying hey create this storage account create it with this option and they work but the challenge is if i've run a script and now i want to change the configuration can i change the value of the script to instead of being a general purpose storage account to grs to lrs no it'll error i said the resource exists already i'd have to use a very very different command to modify it i can't detect the drift easily whereas declarative i'm saying what i want the end state to be i'm not telling it how to do it i want a storage account there's lrs i've changed my mind i change it now so i want a storage account that's grs and i just run it again i want to validate it still matches that description i just run it again it doesn't matter so we have things like the arm azure resource manager json templates is an example of a declarative solution azure bicep it's a lot more human friendly third parties like terraform which have providers for different types of cloud and even on premises they are all infrastructure as code they're declarative solutions and the benefit of these things is i can go and store those in some kind of repo so i put them in a repo that gives me things like version control and that could be github it could be azure devops repos i can easily track those things and now because it's declarative i can take whatever that maybe json or bicep and i can just apply it to my subscription it's item potent so i can run it as many times as i want it's not going to damage anything and it will create my resources whatever they are i can detect drift so this ensures consistency because it's this resource that's version controlled i could deploy this to dev then prod and i know there's not going to be any differences i could have different parameter values because the names might be slightly different but i know it's going to be consistent within there so there's that's kind of a really powerful option now i might need images maybe i can't do everything declaratively but then i can still have the ability to actually build an image so i could still have things like custom images there's things like azure vm image builder so that vm image builder is actually using packer behind the scenes will get some configuration come from there taking a marketplace image and spit out my own custom image that i store in the azure compute gallery used to be called the shared image gallery but i can put apps in it now as well and i could deploy those images maybe reference those from some deployment so that gives me a lot of powerful flexibility and i can still then run various extensions we talk about responsibilities when there's backup extensions and agents there's configuration there's run commands there's custom script extensions i can add all of those things to do other stuff as part of that actual deployment so i get a lot of flexibility there now we talked about this devops and obviously a big part of devops is that whole continuous integration the idea that hey i have a bunch of developers working on their own copy of the repo i want to constantly bring the code together to integrate it i want to find if there's any kind of clash and then i want to constantly be building it continuous delivery so it's ready to deploy and maybe even continuous deployment to actually push it out to something so i have these different options that i can build on as part of my pipeline now with that when i think about hey i'm constantly bringing these things that could be github actions it could be azure devops pipelines they have all those abilities when i'm deploying that out there's different ways to deploy so if i'm continually integrating i'm continually delivering and then maybe i'm continuously deploying i actually pushing this out there's different ways i can continuously push things i might have kind of blue green blue green is different environments and i had to push out the new version to the other environment i warm it up get it ready and i switch them over it might be i do things like canary i make it available to a small population and then expand it out as they're okay rings is another variation on this it could be a b testing a b testing is where maybe feature flags some populations get one version another get a different version and i can get insight back remember that these all fit together i get the insight back well how are people using these which do people like more so i make a decision on what is the best thing now the whole point of these kind of pipelines is i am testing all the way across we have things like unit testing testing some very quick isolated component do i get the right result there might be things like smoke testing a little bit more exhaustive to verify maybe certain interoperability between the components make sure it doesn't start smoking the idea of that there's integration testing making sure now we are actually getting the full extensive interactions and output from the components there may be manual testing that's obviously the most expensive type of testing to do because now there's humans involved but then as we get to these other points when they're stress testing can it handle the actual load i'm throwing at it can i do full injection things like azure chaos studio lets me actually simulate certain types of faults how does it handle that and then of course i'm doing security testing am i secure have i introduced some problem in the environment and a key point is often we'll move between environments as we do this especially the continuous deployment it would maybe go to a dev qa production i need to make sure they're consistent they have to be the same consistency in terms of size they should definitely be the same in terms of configuration and type so that's where we want to use the same template between the environment to ensure i've got consistency otherwise my tests really may not be that good if there's differences between them i want to make sure i automate as much as possible so i think about automation now automation can be done in different ways there are things like logic apps logic apps are phenomenal to doing something maybe on a schedule it replaces the old azure scheduler so through a logic app hey i could run something at a certain time automatically shut down vms you'll actually see for a lot of types of resource you have a task option as a task for virtual machines to shut them down automatically for storage accounts tasks like move between tiers these are using logic apps behind the scenes some serverless compute option that just does something for as cheaply as possible as i need it to so you might see these exposed actually as tasks i might write a function again saying else there's things like azure automation i have run books where i can run powershell i can run python to do certain things but again there's that key point that i need to have monitoring all of these different components i need to understand what's happening at the storage the compute the network that insight component to make sure i've got all of the right things in place to make sure i can react so i can have those action groups and those alerts if there are problems so yes i want to automate but i'm making sure i've got that monitoring and automate responses if i see things of a certain type to keep the environment healthy keep it secure etc we should have drawn that over a bit okay so now we think about another pillar i might tidy this up a little bit later on so my next pillar here will go for orange would be all about performance efficiency i want to make sure that what i'm using is the most efficient way of doing it now there's a lot of commonality here if you think about this between the cost optimization there's a lot of things that say hey if i'm cost optimizing that's also going to optimize my efficiency but now i'm thinking about the performance side of it my pivot is a little bit different i actually got to draw upwards so for my performance efficiency side yes there is commonality but again this really is about making sure that consumption is matching my load the work coming in the requirements i want to make sure the resources i have really match that and so the focus here is all about auto scale and specifically i'm auto scaling in and out so it's horizontal auto scale i'm focusing about adding and removing instances as the workload fluctuates on my system so that's really the key point i want to do this horizontal over say vertical so yes i can make things bigger but very few things i can do that live dynamically while they're running so i i try to stay away from that i try and work out the right size for a unit of work and then auto scale the number of instances of that work as i think about the load changes over time so i want to be using that auto scale now remember our key base unit for this is virtual machine scale sets remember things like aks sit on top of this and use that for the nose to actually accomplish this so use virtual machine scale sets as much as i can they'll actually delete and create these as required that includes the storage so that means i'm also not wasting money on the disks themselves from an aks perspective remember the whole point of aks is the management plane is just done for me what i end up with are the nodes where my pods run well the pods they can have auto scales there's a horizontal pod auto scaler based on the work of the pod and then if my nodes are all full up well then there's also the cluster auto scaling which can actually go and add and remove nodes if the scheduler part of aks can't schedule the pods because they're full so that's where i can bring in that cluster auto scaling so that is another way to really make that efficiency work together now we talked about azure container instances aks can use this for burst scenarios so there's a virtual cube lit that enables aci to actually be used by aks and this really does follow through like app service plans app service plans i pick a certain sku which is a certain size and again it can auto scale between those so from an app services perspective that idea of understanding the shape of my workload applies to vmss to aks to app services it has those same constructs ideally maybe i can use serverless serverless when we think about efficiency if i can be triggered by some event if i can use a function if i can use a logic app that's going to generally be my most efficient use as long as it hits the requirement of what i have remember when we talk about pas solutions don't forget there are the database solutions as well so when i think about the sizing and the different options available well sequel are database considerations sql server i can have things like virtual cpu or dtu where it's a blended if i'm using cosmos db i have these request units um other servers hey azure database i pick a sku azure database for postgres whatever that might be i pick a certain skew size so there's always this concept generally of a size i have a size a shape and then i have certain numbers of instance of that so make sure you consider all of the aspects around those types of things storage is exactly the same now we covered that in detail storage managed disks standard hard disk drive so don't forget about that so while yes we're focusing on this don't forget about the idea of the storage is it the type is it the tier all of those things come into play do they have bursting we talked about the bursting ability maybe i can pick a smaller disk because it's a small window of burst well i can use that red is cache if i need that kind of in-memory caching capabilities i might have a combination of storage i might use blob i might use azure sql database i might use cosmos db they call this polygot persistence where i have this combination of different solutions don't forget about the network so we talked about yes great i have this whole idea of performance efficiency for my compute services but remember as we said networking one of the biggest things you need to consider is latency also generally we pay for data egress am i unnecessarily sending data out which is going to cost me money so i have to think about what is the latency between the different components i have how can i optimize that maybe i use buffering i use some messaging layer if there is a latency aspect to that within within a region so intra region i can reduce latency by using things like a proximity placement group that's going to put things as close together as possible and then there's obviously the inter region between regions well that's generally just the speed of light so i want to be super careful of my architecture to make sure i'm not trying to do something synchronous across them that's going to hurt me if i'm going from on-premises to azure we'll remember the site to site vpn is going over the internet so the latency who knows it's going over the internet which if i use express route that's a private dedicated connection it's going to take time but hey it's going to be as efficient as it possibly could be and again in terms of really optimizing my path this is like content delivery networks if i'm offering sent out to the internet a content delivery network can cache content all around these points of presence around the world to make it more easily available so hey is there is there caching options azure front door remember can integrate with that so cdn front door etc okay so with sort of cost optimization operational excellence performance efficiency the next big pillar uh what should we use for this we use gray is reliability and we talked in detail about this so from a reliability perspective i have to understand what is my requirement so often we want to survive a failure at some level is it a node fouling a rack fouling a data center failing a whole region failing i have to understand what are my requirements often we'll hear about the idea of an sla and we have some number of nines 99.99 99.9 like if we say three nines well that's about was it 10.1 minutes of downtime a week if we say four nines now it's basically one minute per week now that includes unplanned and it includes planned maintenance so i have to consider that within a region from that reliability perspective for this pillar so i could say well in region what did we have we had the idea of availability sets this whiteboard is about to die you can tell nobody didn't do very much testing on this availability sets so that's kind of the idea of a rack level fork domain or a node level protection then we have availability zones that's an entire data center level survivability and then of course across regions that gives me resiliency from the entire regional level problem now obviously between regions so region two then there's some kind of replication or it could be some kind of data job that copies the data it could be a backup and that backup volt is replicated but there's something taking the data from one to the other so again it could be a backup restore it could be there's different layers so remember i can let replicate at the fabric level and we talked about that azure site recovery remember it could be saying at the application level so there's different levels of things we can do what's going to drive this is what is my recovery point objective what is my recovery time objective how long do i have to start back up how much can i lose so recovery point objective might be five minutes i can lose five minutes of data in some unplanned disaster recovery time objective might be you have to be up and running in an hour now if my recovery time objective was three days and my recovery point objective was 12 hours i can probably as long as i'm backing up twice a day my plan could be restore backup if my recovery point objective is five minutes my recovery time objective is an hour i'm looking at some kind of replication as they get smaller and smaller maybe i'm actually moving to an active active type of configuration remember active active can be super difficult from an architecture perspective because where's the state if the state is in a database how do i handle that cosmos db has great capabilities for that from a database perspective maybe i have a read replica and my application has to be smart enough to read from the replica but do writes to the primary so i have to be able to architect all around that to actually make that work so that but that reliability i have to understand what i'm trying to solve so see what the question is saying hey i want to survive a rack level failure okay i probably use availability sets hey i want to survive a data center failure ding ding there's going to be availability zones or i'm using multiple regions remember the types of service lrs zrs grs for storage accounts databases let you have replicas nearly all computes are regional so if i'm trying to make a compute service available to multiple regions i'm going to have different instances in the multiple regions an aks in region 1 and aks in region 2 and then remember i can balance between them things like azure front doors we talked about azure traffic manager that would be that distribution for those solutions so we've had cost optimization operational excellence performance efficiency reliability the last pillar by no means least is security so when i'm architecting my solution i need to make sure i'm thinking of security i'm going to try and write as little as possible now because this is not going to handle it at all so when i think security there might be regulatory standards so is there something regulatory this could be hipaa it could be um credit cards like pci dss it could be gpr but i have some kind of requirement that drives a certain configuration there are just basic things built into azure what was the azure security center that has different standards that i can apply some things i'm responsible for some things azure is responsible for and it can show me those things but it uses azure policy behind the scenes and initiatives that have the various configurations i need to go and see that status there's a huge focus on zero trust zero trust is about never assuming trust we constantly revalidate that trust that every single step we have we're always validating it so that what that does it helps protect us against that lateral movement if something has got into your network well we don't just naturally assume like i can do anything at once even inside our networks we constantly re-evaluate all of the different things that we actually might want to do we have a huge focus on defense in depth it looks terrible at this point i apologize and so defense in depth is there's different layers so we think like an onion and yes this can make us cry as well but we want to think about defending at every single layout of what we have now at the top we have things like our data so how is our data encrypted are we using azure key vault are we bringing our own keys are we having encryption are we rotating them are we encrypting inside the virtual machine like azure disk encryption making sure we have the right things within our data we're encrypting it the right way within our application are we introducing vulnerabilities now there are various azure defender solutions that can help us with this there are things like the web application firewall that can look for common types of attacks and we're going to talk more about this in a second that can help protect me but from my app am i doing good things i'm not storing secrets in my app uh i'm not making it vulnerable to code injection i want security to be part of the entire process that entire security development life cycle i want that part of it for any compute services i have again i want security in them anti-malware i'm not opening up rdp or ssh to the internet i want maybe just in time access i want to be using private connections via site site vpn or point site vpn or private pm expressway or azure bastion that managed jump box solution but i want to control those things i do think about the network so i have the security in the network again public access limit connectivity don't put vms directly on the internet when we talked about things like that load balancing on all of those different solutions when i do auto scale wherever i put that now somewhere over here there's things like a load balancer sitting in front of those virtual machine scale sets to give me that single entry point that also now slightly abstracts away i'm not putting my vm directly on the internet and if i use a layer 7 like app gateway then i can use things like web application firewall to give me additional protections for that network so again as many layers as i can i want to add that i think about the perimeter so things like distributed denial of service has a basic protection just built into azure there's a standard layer i can leverage for more granular control something that's more machine learning tune to what my regular kind of work is we have policy so policy can apply to things like well what is the authorization do i do mfa am i using conditional access do i have identity protection what are the types of resources what are the agents required what's the auditing i have going on then there's obviously the physical facility now in azure you're not responsible for that that's part of azure's job but they go through certain audits to meet certain requirements you may have so there's different levels of responsibility but i think about all of those things for my all up solution now with that identity is huge identity is kind of the security perimeter in the cloud it's not really the network network's part of it but really identity is a bigger part so i want to make sure i have really rich identity controls we talked about conditional access and mfa partners can be through things like azure adb to be enable seamless sign-on as much possible get rid of passwords altogether that's becoming more and more of a reality today for my customers i can use azure adb to see as we saw pim for just in time access to resources and different permissions but as much as possible i want this single identity if it's an azure resource use managed identities if i have lots of resources that need the same permissions use a user assigned managed identity so there's all these things that can bring this together but the whole point of this these pillars these are not particular individual azure solutions these pillars are as i'm architecting keep these in mind because i have to build this into my architecture to make sure it's the best architecture for my customer and during the exam you're not going to get tested i don't think on the well architected framework that's not the point the point is these considerations when i'm looking at what are the possible answers will help me formulate in my brain oh okay well which is the most efficient one and what would give me the right reliability based on those requirements that have been given to me how would i optimize my cost okay what's the best way okay i need to deploy these resources what are options i could use for infrastructures code well okay oh yeah an arm template terraform what would be an imperative option oh okay well powershell or azure cli a script essentially so i'm understanding these are all up services so i can architect the best possible solution so that's it and this whiteboard wouldn't take anymore anyway i mean azure is constantly changing stay up to date we want to make sure teams are educated architectures will evolve over time we want to automate as much as possible for the exam i already talked about what's in the exam i would just relax worst case if you don't pass the first time at the end of it it will show you the different sections on where you did strong and why you did slightly weaker the areas where you did weaker go back and refocus go through that breakdown of what's actually in the exam and look at each of the individual skills so i did you want to be able to look at that word document if i jump back to that for a second so this page here i want to be out of this skills measured you should be able to go to each of these things and say okay yeah i know i can answer all these different things and again in the exam it might be there's multiple answers so then we apply okay well what's the right one based but seriously do not panic um it's an exam you can retake it if you don't pass it's going to show you where your weaker you can go re-back and re-double don't stress out i really hope this was useful this this was a ridiculous amount of work so i really would appreciate a subscribe and a like but really just good luck and i hope see you again on another video take care you

Info

Channel: John Savill's Technical Training

Views: 14,795

Rating: undefined out of 5

Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, azure architect, az-305, certification

Id: vq9LuCM4YP4

Channel Id: undefined

Length: 218min 35sec (13115 seconds)

Published: Tue Nov 30 2021