AZ-900 Azure Fundamentals Exam Cram (2024 Edition) - Full Course

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

if the Azure fundamentals exam is your first Azure certification let's face it it can feel a bit intimidating and it may be difficult to find exactly where to focus as you prepare but what if I told you you could prepare and pass a900 in less than one day if that sounds good you're exactly where you need to be and just like the first edition of my a900 exam cram which had more than half a million views in this 2024 Edition I'm going to optimize your exam prep by stepping through every line item mentioned in the exam syllabus and calling out key characteristics of asure services and Concepts to ensure you're better able to pick the right answer out on exam day and this is more than just an exam prep course I actually have two additional resources to help get you across the Finish Line all in less than a day stick with me and I'll show you the way [Music] welcome to the 2024 edition of my a900 exam cram updated from the original release to cover Microsoft's latest exam syllabus and keeping with the original covering every topic on the exam syllabus so how current is this exam cram well this course includes January 2024 updates and should be current through the 2024 calendar year however every now and again Microsoft throws us a surprise so be sure to take a look in the video description for any minor addendums or add-ons I may have published to cover minor changes this course was recorded in January 20244 an a900 consists of three domains domain one is describ cloud Concepts domain two describe Azure architecture and services and domain three describe cribe Azure management and governance you'll find a PDF copy of this presentation available in the video description intended for you to download and use in your exam preparation and the chapters within this course should appear automatically on the timeline but just in case you'll find a table of contents that's clickable in the video description so you can hop forward and back in the video as necessary as you prepare and to test your exam Readiness I've also provided nearly 120 practice questions in a free quiz you can use to assess your Readiness for exam day using the resources I've provided you here I find most candidates are ready to take this exam and pass on their first try in less than one day and to take just one more minute to wrap up that topic of expectations let's look at experience briefly so Microsoft has three levels of exams fundamentals where it's expected that you're just getting started the associate level or role specific exams where there's an assumption of two years of hands-on experience more or less and the expert level exams where there's an expectation of 2 to 5 years experience as well as the associate level certifications and so where you are is that fundamentals level exam so what that means in terms of exam specifics you're looking at roughly 60 Minutes in length 40 to 60 multiple choice questions and really lightly technical focusing on feature and concept description but what that means if we just look at the verbs that are used in the description of the exam objectives if we look at the domains themselves you'll notice the verb describe used a lot so what does that mean it means it focuses on basic knowledge of Concepts and Azure Services it is not a Hands-On exam and now that that we're clear on the technical level let's talk about exam preparation because there's no award for the longest study time and there's no need for a fundamentals exam to spend more time than necessary so I want to talk to you for just a minute about my recommended exam preparation strategy that has worked for tens if not hundreds of thousands of exam candidates to this point in time and when it comes to exam preparation research shows everyone benefits from using a variety of sources for exam prep which is what makes this video course the perfect place to start it covers every topic in the exam syllabus in the order presented in the syllabus at the level you need for exam day some written content alongside is also going to be useful to review on your own or as part of a live quiz exercise find a partner and have them quiz you on the topics preferably in random order pair that with a practice exam so you can ensure that you're ready for exam day I have a link in the video description to a free quiz of more than a 100 questions that's more than you need to prepare for the big day targeted reading is also helpful and you can mix and match and repeat these techniques based on what feels right to you when it comes to targeted reading though don't overdo it you can use Ms learn for topics you're struggling with but don't use it as a resource you read end to end you could spend days preparing for an exam that most complete in less than 8 hours of preparation and at the end of the day you want to balance being as efficient as possible with your time with understanding the concept studies show that understanding before you memorize greatly improves retention but understanding is also what your employers expect and what's going to serve you best on the job so definitely understanding these Concepts is the right thing to do and with the PRX out of the way let's dive into the technical content we'll start with domain one which is describe Cloud Concepts and the syllabus carves domain one into three parts describing cloud computing describe the benefits of using cloud and describing the cloud service types so starting with 1.1 describe cloud computing we'll talk about the description the definition of cloud computing from two angles we'll look at the Shared responsibility model something you should know well for this exam Cloud models including public private and hybrid we'll look at appropriate use cases for each Cloud Model so really their advantages and where they apply we'll describe the consumption based model this is really about budgeting and pricing and we'll dig into Cloud pricing models just a bit and we'll finish up with a description of serverless and the best way to understand serverless is to compare and contrast serverless with platform as a service so the definition of cloud computing we're going to start with the nist the National Institute of Standards and technology definition of cloud computing which is a model for enabling Universal convenient OnDemand network access to a shared pool of configurable computing resources like Network server storage apps and services that can be rapidly provisioned and released with minimal management effort or service provider interaction so I'd call this the industry definition of cloud computing the Microsoft has their own formal definition for this exam and that is cloud computing is the delivery of Computing Services over the Internet very simple right it expands traditional it offerings to include services like The Internet of Things machine learning AI it basically enables organizations to quickly expand their compute footprint without the need to build their own Data Center so put these two definitions together and you get the gist of cloud computing while we're going to go deeper on the shared responsibility model here shortly I wanted to touch on it at a high level just to introduce you to the concept the shared responsibility model really lays out customer responsibility versus cloud service provider responsibility Microsoft in this case in different scenarios so with on premises it's quite simple the customer is responsible for everything from the application down to the wire and then as we move through the cloud computing models from infrastructure as a service to platform as a service and then software as a service you see that the CSP is taking on successively greater levels of responsibility and we'll go a bit deeper on that topic shortly now the burning question is there better security in the cloud I think has been pretty well answered at this point in the industry and the answer is just generally yes if we look at security in an on premises scenario what we see is that security is both challenging and often underresourced so we see some responsibilities met some partially met and some unaddressed simply because the organization doesn't have time and resources to do so and when organizations move to the cloud what we see is they immediately are able to shift some commodity responsibilities to the Cs P to Microsoft and reallocate their resources to more business advantageous activities so it's really shifting not only responsibility but risk to the CSP so now we're going to talk through the cloud models and the expected benefits and when we move to cloud computing there are a few benefits we expect right out of the gate we expect cloud is costeffective it gives us Global presence it's more secure than our traditional on- premises data center quite typically scalable elastic always current so in other words we're handing over a lot of those operational responsibilities we transferring some of that risk to the cloud service provider to Microsoft in this case so the business can focus on Innovation the first model we'll touch on is public Cloud so this is where everything runs on your Cloud provider's Hardware so everything in Azure in this case advantages in this case include scalability agility pay as you go no maintenance and low skills required for entry basically you can use this model to skip building your own data center the public cloud model is going to be very common with startups for example that don't already have their own data center then we move into private Cloud a cloud environment in your own data center where you as the customer are responsible for the entire stack all the way down to the wire there are advantages here Legacy support for example so if we have a legacy application that's not yet ready for the cloud we can keep that in our on premises data center it gives us 100% control this can be handy in compliance scenarios for sure but we see that private Cloud happening in scenarios where more control is necessary always up to date is fantastic until you need to run a legacy version of Windows or Linux or a database management system that's not supported in the cloud and then we have the hybrid cloud model which allows us to blend public and private so when we have a scenario that requires that Legacy support and additional control we can run in our private cloud and when we want modern and automatically scaling and always up toate we can go the public route so it gives us the flexibility to support our Legacy scenarios our compliance scenarios and to leverage the CL allowed for its scalability when we can that makes hybrid a very common model in large Enterprise scenarios next we're going to touch on some foundational Cloud Concepts beginning with economies of scale economies of scale refers to the cloud service providers ability to do things more efficiently or at a lower per unit cost because they operate at a larger scale because Microsoft can buy more servers and more storage than the average business they can deliver compute at a lower cost than the business might be able to provide on their own next we have capital expenditure often called capex for short capital expenditure is the spending of money on physical infrastructure upfront as a business would do with a legacy on premises data center we ju toose or compare capital expenditure to operational expenditure often referred to Simply as Opex this is spending money on services or products now and being build as you go this is associated with public Cloud consumption a pay as youo model as with Microsoft Azure so you'll definitely want to remember that Opex is associated with cloud and capex is associated with investment in on premises infrastructure the cloud increases OPC spending and it reduces Capac spending so if you keep those two concepts straight that's about all you should need for the exam and the consumption based model refers to paying for what you use typically per unit of time or capacity it might be per minute per gigabyte per execution in some cases so how it's built quite typically depends on the service for example virtual machines are going to be build per unit of time storage is going to be build per gigabyte as your functions would be bu build per execution next we have the fixed price Model this is where you provision resources and you pay for those instances whether you use them or not and in cases where you know you're going to use what you're provisioning it does offer an advantage in that it ensures predictable cost for your cloud services for example with some Azure AI Services you can pick a commitment tier that comes at a fixed cost for several services next we have serverless architecture this is a cloud computing execution model where the cloud provider dynamically manages the allocation and provisioning of servers it's hosted as a pigo model based on use the resources are stateless the server ephemeral and they're often capable of being triggered I call those out I want you to remember those keywords if you see stateless ephemeral triggered on the exam server lless is quite likely the answer a good example here of serverless is function as a service that would be Azure functions so let's talk about the difference between serverless and platform as a service in terms of responsibility when we talk about platform as a service in some depth just a little later you're going to think that PA and serverless sound very much alike so let's talk about how they're alike but also how they are different so with p and serverless developers have to write code and there's no server management really that tier is managed by the cloud service provider but how are they different well in the P environment you have more control over deployment in serverless you have less control over deployment on the path side the application has to be configured to autoscale where on the serverless side the application scales automatically you have less control control but because the scale is automatic you don't really care that you have less control and on the path side the application takes a while to spin up where on the serverless side application code only executes when it's invoked let's take a look at some Azure cloud services that fall into the serverless category three that come immediately to mind are Azure logic app Azure functions and Azure event grid one I think you're quite likely to encounter in your Cloud career is azure logic app this is a cloud service that helps you schedule automate and orchestrate tasks business processes and workflows the magic of azure logic app really comes in its connector Gallery you can choose from a gallery of hundreds of pre-built connectors for Microsoft and thirdparty services so whether you want to integrate with a Microsoft service like Office 365 or a thirdparty service like service now logic app quite likely has a connector you can use to expedite the process logic app and its connectors are actually the foundation for power automate what was formerly known as Microsoft flow in fact why don't I give you a quick tour of those logic app data connectors so you can have a look firsthand and we'll switch over to the Azure portal and I'll click on logic apps and I'm going to open an existing logic app created previously so we can have a look at that visual authoring experience and get a shot of those connectors so the visual authoring experience here is not entirely unlike what we'd see in Microsoft power automate formerly Microsoft flow after all power automate is built a top as your logic apps we simply in logic apps have a bit more control we are a technical author here where power automate assumes a what they call citizen developer somebody a bit less technical on the whole but let's get to why I brought you here those connectors so anytime I'd like to make a connection to another service I can choose my action here and then find actions that will connect me to those other services for example if I just type office I can see connectors for Office 365 what we'd call Microsoft 365 now quite typically and you'll notice that the group by connector box is checked so I can see the actions that relate to each of these connectors and if I scroll down you'll see multiple connectors related to to Office 365 in fact if I type Azure you'll see connectors related to Microsoft Azure services and a variety of path Services as well as VMS but it's not just Microsoft Services you can find in the hundreds of connectors here if I type Adobe for example you'll see multiple actions related to various Adobe connectors connecting to Adobe Services of various sorts and that's the power of logic apps we have that API type connectivity with great configurability without the need to write our code from scratch moving on with serverless Computing options we have Azure functions this is an event driven compute on demand experience that extends the existing Azure application platform with capabilities to implement code triggered by events occurring in Azure as well as on premises systems Azure function supports a number number of programming languages but the triggered by events phrase there is key why is that important well it means that Azure functions doesn't have to pull remote systems to see if an event has occurred it can be triggered by those remote systems those applications those remote services and that enables Microsoft to billis per execution rather than by runtime which makes Azure functions on the whole very inexpensive rounding out our look at serverless we have Azure event grid this enables you to easily manage events across many different Azure services and applications because once a subscription is enabled event grid will push events to a configured destination push is the keyword here if you see serverless and push in a question event grid is likely your answer but let me give you a bit more information so on the left side we have event sources so we might have events from iot devices or in machine learning or our containers and event grid will push those events over to event handlers where we can take action on those events like an Azure functions or logic app for example it's what we call implementing a pub sub model an app or service is reacting to an event when you're creating an application model like this it's often called reactive programming but with event grid it makes it easy for any developer to utilize the push model instead of an inefficient pull model where you have to reach out and pull on a recurring basis across your serverless architecture so that's what event grid and Azure functions have in common so in Azure functions we talked about the event-based trigger and in event grid we're talking about a push model which means in either case neither of these Services has to do an inefficient polling mechanism that would cause us to have to be build by time so like Azure functions event grid is pay per use and that's a wrap on subdomain 1.1 now we're going to move into 1.2 describe the benefits of using cloud services and here we're going to focus on the benefits of high availability and scalability reliability and predictability security and governance and manage manageability so we see that describe verb I mentioned again it's high level knowledge right but our Focus here is high availability reliability and predictability security and governance and manageability so you want to know the difference between all of these terms on exam day so we'll talk about these Concepts in exactly the order they appear in the syllabus starting with availability so availability appears obvious on its face I want to cover one small Nuance with you so avail ability encompasses the availability of infrastructure services or applications and it's generally expressed as a number of nines you'll hear three nines four nines or five NES of availability and where the Nuance comes in is availability and uptime are often used interchangeably but they're not the same thing uptime simply measures the amount of time a system is running in the IAS world for example I can have a virtual machine that's running for a week but maybe my applic my website Etc that's running on that VM is not available for 5 or 6 hours of that time so I might have had 59 of uptime but I certainly didn't have five NES of availability in that situation then we have scalability so scalability speaks to the ability of a system to handle growth of users or work it refers to the ability of a system or a service to handle more traffic to scale essentially whether that's scale scaling up or scaling out and we'll talk about scaling up versus scaling out a bit later in this session as well next we have elasticity so unique from scalability elasticity is the ability of a system to automatically grow and Shrink based on app demand it focuses on the ability of a system or a service to scale quickly to spikes and demand and I find generally speaking folks get scalability and elasticity confused use so let's break these down and just compare the two so it's Crystal Clear for you on exam day so rapid elasticity and scalability are core benefits of the cloud it allows a customer to grow or Shrink the it footprint as necessary to meet the business needs without excess capacity these two are related but they're unique so elasticity again speaks to the ability of a system to automatically grow and Shrink based on app demand when we're talking about elasticity you'll often hear about the ability to rapidly provision and deprovision those capabilities scaling out and scaling in meaning I'm adding more instances to scale out and when my demand shrinks I'm scaling in I'm removing those excess instances so I don't have unnecessary spend scalability on the other hand is not speaking to my ability to deploy those additional instances scalability is about the ability of a system to handle growth of users or work as demand increases so that's really about making sure that I have provisioned the right virtual machine skew or I've selected the right service tier in a p service like Azure database for example another term that may come up is agility so agility speaks to the speed and ease of allocating and deallocating resources so I think of agility as our capability to react and execute quickly in the cloud versus what it takes on premisis so on Prem if I need to roll out additional compute capacity it means I need to buy and configure additional servers in the cloud it means I am pushing a button to deploy additional virtual machines in an IAS scenario so the cloud is agile because my response can be measured in minutes where my response in the on premises data center can be measured in days or weeks and this allows for vast amounts of computing resources to be provisioned very very quickly that's agility provisioning a set of 10 VMS and a scale set for example a few of these terms really fall into the categories of high availability and disaster recovery and again while you need to be able to describe these you need to know the difference between these terms on exam day which is really a matter of scope for the most part so fault tolerance so fault tolerance speaks to the ability of a system to handle faults in a service like power Network or Hardware failures it generally refers to component level failures so when we're thinking of fault tolerance we're thinking about redundant power supplies highly available discs in a server on the other hand High availability is about the ability to keep Services up and running for long periods of time so high availability has a service or application level Focus but it generally refers to service level failures next we have disaster recovery so the focus of Disaster Recovery is on the ability to recover from an event which has taken down a cloud service It generally focuses on a service or even a sight level failure and continuing down that list reliability so reliability speaks to the ability of a system to recover from failures and to continue to function and you can think about reliability in human terms when someone is reliable you can count on them and that's really what reliability means in a technical sense but the way Microsoft looks at reliability is really from two angles so they'll talk about the principles of resiliency and availability so resiliency aims to return an application to a fully functioning state after a failure occur URS and the goal of availability is consistent access to the application so if we think about that in human terms a person is said to be resilient when they can bounce back from failure quickly and that's what resiliency is about in technical terms in the cloud and availability again is about consistent access to our application or service it's not uptime of the underlying system it's access to the service that we're delivering we're get get into some fancy words here aren't we so the next one is six syllables predictability but this one's a pretty simple concept Azure enables Solutions with predictable cost and performance to say it another way predictability means the level of service and performance and the associated cost are known to us in advance and I can't overstate the importance of that when you are in your job recommending solutions to your managers to your executive stakeholders they are absolutely worried about the size of the check they're going to be writing in the cloud so predictability is key for you and for them so let's shift gears and talk security and governance when it comes to security we're focused on protection of customer data whether that's access control or encryption protection of our Cloud applications and protection of the infrastructure it rides on and this comes down to the dueling element of control and responsibility infrastructure is a service IAS gives the customer more control versus platform or software as a service Pas or SZ but it also places more security responsibility on the customer to tweak that line from Spider-Man with great control comes great responsibility right and all models in Azure have built in distributed denial of service or dos protection from the Azure DDOS service from the free tier which covers every component in Azure invisibly with no action on your part now the standard tier provides enhanced DDOS mitigation features to defend against DDOS attacks and it also includes more logging alerting and Telemetry that's not included in the free basic tier that's present by default now let's talk governance so governance really speaks to the rules and policies that guide an organization Cloud operations this ensures data security helps us manage risk control cost and improve efficiency I think of governance as the guidance and guard rails that ensure we're as secure consistent and efficient as possible and the cloud features and Azure are designed to support both governance and compliance out of the box for example there are deployment templates available that help ensure deployed resources meet corporate standards and regulatory requirements and depending on the model we're dealing with software updates may be applied automatically by the cloud provider which helps us with governance and security it transfers some of that responsibility and risk to the cloud service provider to Microsoft in this case you'll also want to be aware of the Microsoft cloud adoption framework which provides guidance designed to help organizations Implement Business and Technology strategies successfully in Azure but on the topic of governance the cloud adoption framework includes a governance model based on the five disciplines of cloud governance we never know exactly what's going to come up on an exam but that's the sort of highlevel information I could easily see popping up on a900 and on that topic of security which we touched on a moment ago the shared responsibility model really explains who is responsible for secur Security in each model and scenario and we'll dive into that but Security on this exam is going to be more about the what and the who of security and less about how it's implemented it's not a Hands-On exam then to wrap up section 1.2 let's talk about manageability and when it comes to manageability there are two aspects of manageability for the cloud in the Microsoft story and it's really about the what and the how so when we think about manageability of the cloud there's automatically scaling resource deployments based on need deploying resource based on a preconfigured template which makes manageability easier we can consistently deploy we can then monitor the health of resources and automatically replace failing resources but also receive automatic alerts based on preconfigured templates that really answers the what and then really speaking to how you're able to manage your Cloud environment and your resources through a web portal using a command line interface using apis through thirdparty or command line tooling custom scripts or using Powershell that speaks to the how and that brings us to subdomain or section 1.3 describe cloud service types so we're going to look at infrastructure as a service platform as a service software as a service and we'll talk through appropriate use cases of these cloud service types yes this is finally the spot where we're going to walk through the shared responsibility model now we're going to move into a comparison of cloud models and services which you can expect will Factor prominently on the a900 exam and we're going to focus on the core three of infrastructure platform and software as a service and the most common Cloud models of private hybrid and public and the best way to approach these for the exam is to examine them through the lens of the shared responsibility model in the beginning responsibility is easy because on premises responsibility is 100% yours on premises the customer owns 100% responsibility all the way down to the wire and as we look at our Cloud models across infrastructure as a service platform as a service and software as a service we see that the cloud service provider or CSP assumes increasing levels of responsibility and if we overlay models here private Cloud happens here on premises and hybrid Cloud would then extend from on premises into the cloud and using infrastructure as a service at minimum generally with some sort of sight tosite VPN connectivity that connects our on- premises data center to the cloud and that connectivity could be as simple as a VPN Appliance connecting to a VPN Gateway in azzure or it could be something more sophisticated and Enterprise friendly like Azure express route which often uses MLS not details you have to be too worried about for an Azure fundamentals exam just know that in the hybrid Cloud we're extending to is at minimum and connected by that sight to sight VPN and in terms of responsibility the CSP is providing the building blocks networking storage compute the facilities the hardware and the staff to manage it all the customer becomes a consumer and is free to focus on innovating in their business and some of this utility functionality is pushed off to the CSP all your major csps have an is offering in Azure that is azure virtual machines if you're familiar with Amazon or Google Cloud platform they have ec2 and compute engine respectively but as your virtual machines will be your focus for this exam and you'll you also need to know the common iaz use cases when to use Virtual machines a few use cases come immediately to mind like testing and development because VMS are an easy way for test and Dev teams to deploy and delete VMS when they no longer need them so they can iterate through test Cycles without waiting on infrastructure teams to deploy physical or virtual machines in a private Cloud which is really the problem we've seen historically even in a private cloud and environment it can take days or weeks even to get vmms deployed and when running applications in the cloud we can gain financial and Technical benefits When an application might need to handle fluctuations in demand because in the cloud we're paying by the minute so we can shut down BMS when we don't need them quickly start them up when we see an increase in demand and pay only for the resources we use so this is that shift from capital expenditure to operational expenditure the shift from capex to Opex budget and when extending your data center to the cloud the hybrid Cloud scenario we can extend the capabilities of our on premises Network by creating a virtual Network in Azure and adding VMS to that virtual Network and the real benefit of that hybrid Cloud scenario is it makes it easier and less expensive to deploy than it is on premises and finally during Disaster Recovery the cloud gives us a backup data center without having to build and provision resources in our own backup data center Azure becomes our push button Dr site we can use Azure site recovery to replicate virtual machines to Azure and then we can have push button automated VM spin up and shut down in the case of a disaster and in the case of azure site recovery you're going to pay a fee for the privilege of replicating your VMS into Azure so you can spin them up on demand but it's certainly much less in terms terms of cost than building and running your own Disaster Recovery site and in platform as a service the customer is responsible for deployment and management of their apps while the cloud service provider manages provisioning configuration Hardware the operating system the bulk of the stack as you can see here and there are a number of cloud services that fall into the P category Azure SQL database the API manager M offering as your app service just to name a few there are many more and you won't be expected to know all of them and certainly not exhaustively but you will be expected to be familiar with some common platform as of service use cases when to use platform as a service so a development framework P provides a framework that developers can build on to develop or customize cloud-based applications it's a a framework it lets developers create applications using built-in software components they're focused more on developing for business value rather than utility functions Cloud features like scalability high availability multi-tenant capability are all built in reducing the amount of coding that the developers have to worry about the bottom line is it reduces developer effort and increases solution quality on the whole we also see platform as a service Factor prominently in analytics or business intelligence basically tools provided as a service with P allow organizations to analyze and mind their data find insights and patterns and predict outcomes it improves forecasting product design decisions investment returns a number of business decisions bottom line it simplifies data analysis and it improves business outcomes so the theme you should be noticing here is the reduction in upfront investment and the reduction in the need for the customer to worry about utility functionality it's a win on two front in that customers can save money through that pay for what you use model and they have more time to focus on delivering business value to their customers and nowhere is that more evident than in the software as a service model so here the customer just configures the features by and large the CSP is responsible for management operation service availability now the customer has some responsibility in access management and data recovery it's not entirely on the CSP to manage this but you see at worst the customer has minor shared responsibility here but not sole responsibility for almost anything and even if you're fairly new to the cloud and to technology on the whole you'll recognize some of these Services Office 365 service now Salesforce Office 365 is now called Microsoft 365 I wanted to call out office just to make sure that everyone recognizes this because Office 365 is what originally in a cloud sense got large numbers of small businesses out of the business of managing their own email and I don't think I know anyone who misses having to manage their own email servers as was the case with IAS and P You're expected to be familiar with common use cases of software as a service and there are are several for example email and messaging as I said nobody misses hosting their own email servers business and productivity applications SharePoint for document collaboration finance and expense tracking bottom line these are all important utility functions but they're not core to the company's purpose so perhaps more than anything SAS enables companies to securely and reliably Outsource a variety of utility fun function so they can focus on Innovation and revenue generation and that's a wrap for domain 1 which brings us to domain 2 describe Azure architecture and services and in domain two we'll be covering the core Architectural Components of azure the compute and networking Services Azure storage Services as well as identity access and security we'll start with 2.1 which is described the core Architectural Components of azzure and we're using that verb described throughout whether we're talking about regions region Pairs and Sovereign regions availability zones data centers resources and resource groups subscriptions management groups and the resource hierarchy we'll start at the top of the hierarchy and work our way down beginning with Azure geography so an Azure geography is a discrete Market typically containing two or more regions to facilitate Disaster Recovery that preserves data residency and our compliance boundaries and based on your business needs you can pick the Azure geographies that work best for your organization you'll find Azure geographies around the world including North America Europe Australia China is its own Sovereign region Africa and South America and you want to choose your geography based on the location you need but you'll also want to look at the regions within the geography so a region is a set of data centers deployed within a latency defined perimeter and connected through a dedicated Regional low latency Network so essentially you're choosing the right locations within the region based on where your company conducts business so whether that's in China or Europe or North America you're picking the part or parts of the country where your customers are located for example so you can provide the best user experience and a moment ago I mentioned Sovereign regions we should touch on that briefly so a sovereign region is a special region you might need for compliance or legal purposes China is one of those Sovereign regions the US federal government also has their own Sovereign region these are operated by special trustees and they provide physical and logical isolation and you'll also want to choose your geographies and regions based on the services that are available so I'd like to just take you to a page and have a quick look at the available Azure geographies and how you can find the service availabilities in each of these geographies and this will help us put a finer point on it so if you go just search the internet for Azure geographies it will bring you to this page where you can choose the Azure geography that meets your needs and so if I click on geographies it shows me the geographies available in this table and you see the check box there that says show nearby geography so naturally one of the elements in our decision process is to find geographies that are close or geographically proximate to our audience but that's certainly not the only decision criteria so I'll hop over to region and you'll notice here they mention some of the decision criteria that factor in choosing the right region like data residency you may have compliance requirements that demand your data is stored housed in a specific geographic location typically that's at a country level but it's an option and then you see service availability so it's important to note that not every Azure service is available in every region this tends to be particularly true of newer services that are added to the platform and certainly you will find that the prices are not the same in every geography in every region so you'll want to check the prices as well if you're flexible on location you can look at the price of a service on the east coast of the US versus the West Coast for example and we should also talk about region pairs a region pair defines a relationship between two Azure regions within the same geography for Disaster Recovery purposes now a couple of things are true here so you'll find that the region pairs tend to be at least 300 M apart for example East us and West us or a region pair so that 300 plus miles is chosen by Microsoft to make sure that we have region pairs with locations that are far enough apart that both are not impacted by the same disaster for example and those are the two most important elements to remember for the exam those region pairs tend to be location 300 plus miles apart and they are chosen by Microsoft that's not your decision and the services in the platform form such as Azure storage for example will have some automatic failover behaviors configured for when we have a region outage there'll be some data replication automatically configured in the background assuming you choose the right service tiers and also some automatic change in endpoint availability where you'll call to access the service based on that Regional outage now that doesn't mean you may not need to factor that in when you develop your application but it does mean you have a Dr Data Center without having to build build your own Dr Data Center and moving on when we think about services and how we manage and secure them you'll need to be familiar with management groups subscriptions resource groups and the resources they contain so to give you a look hierarchically before we look at their function you have at the top level of management group which contains one or more subscriptions subscriptions contain resource groups and within a resource Group we have have the resources themselves like a virtual machine for example now let's talk about the purpose the function of these four components starting with management groups as you saw in the hierarchy diagram management groups provide a level of scope above subscriptions and each directory is given a single top level management group called The Root Management Group by default that management group is a boundary for management as the name implies and for application of policy Azure policy being how we would automate the application of our management requirements next we have subscriptions a subscription is a logical container used to provision resources in Azure now why would I create multiple subscriptions you want to be familiar for the exam we'd use this when subscription limits are reached we'd use this to support different payment methods whether we're talking about currencies or maybe I have reservations that give me some long-term commitments in one subscription and perhaps in another I'm going to Simply pay as I go month to month and also to isolate resources between departments between projects between regions or geographies for compliance purposes whatever reason I need isolation subscriptions are going to be one option for providing that isolation and next we have resource groups a resource Group is a container that holds related resources for an Azure solution it's used to group resources that share a common resource life cycle such as the components that combine to form a virtual machine which would include the VM its network adapter its storage there'll be multiple components in there and then we have the resources themselves a resource is an entity managed by Azure like a virtual machine a virtual Network or a storage account now since virtual machines are the most common use case let's take a quick look at a resource Group for an Azure VM just to give you a visual confirmation of what that actually looks like so I'll just switch over to the Azure portal I'm at portal. azure.com I'm looking at a specific virtual machine and if we zoom in here you can see the resource Group so I'll click on that Resource Group and you'll see here the resources associated with this virtual machine you see the virtual machine you see the public IP address the network security group that gives us security at the network level the virtual Network the network interface the disc the storage for this VM so naturally all of these elements share a common life cycle when you delete the virtual machine all of these resources should be deleted with it and so this Resource Group encapsulates these resources and when I click on delete Resource Group I'm going to get a prompt here to show me everything that will be deleted when I delete the resource Group essentially all of those elements all of those components of the virtual machine that share a common life cycle and all I have to do is go down here and type the resource Group name to confirm and hit delete and those resources will be deleted in their entirety let's take a quick look at that resource hierarchy by function starting with the Management Group the Management Group can be used to aggregate policy and initiative assignments via Azure policy so think policy-based management that's really automating our desired configurations enforcing our requirements through policy really automating that step the Management Group can contain multiple subscriptions and in fact all new subscriptions are added to a special Root Management Group by default next we have the subscription and a subscription is a unit of management billing and scale within Azure it serves as a management boundary for assigning policies for governance and potentially for isolation any of these based on our requirements and then we have the resource Group and resource groups are containers that hold Resources with a common life cycle as we saw with the components of a virtual machine and then we have the resources themselves like that virtual machine and resources can be contained within exactly one Resource Group and a resource Group can live with within exactly one subscription so it's a on toone relationship in each case so this is really logical architecture let's shift to the physical for a moment and talk about availability zones availability zones are unique physical locations within a region with independent power Network and cooling availability zones are comprised of one or more data centers and they're tolerant to Data Center failures via redundancy and isolation so when we configure availability zones for example with our web application here that is load balanced we have availability zones that give us redundancy resilience against physical failures so we're considered to be Zone redundant and continuing that discussion of the physical let's talk about Azure data centers these are physical buildings that contain thousands of servers and other Hardware to provide Cloud Computing Services Azure data centers are located all over the world and they're organized into regions which we looked at previously they are designed to be secure reliable efficient leverage economies of scale and of course their multi-tenant for the exam do remember that a data center consists of multiple physical buildings and it has redundancy throughout whether that's Powers servers internet service provider connections Etc and that does it for 2.1 bringing us to section 2.2 describe asure compute and networking services so here we'll talk about compute types including containers virtual machines and Azure functions we'll look at virtual machine options including Azure VMS VM scale sets availability sets and Azure virtual desktop we'll look at the required resources for virtual machines so the components that comprise a VM for example and describe application hosting options including web apps containers and virtual machines these really add up to the compute options both IAS and PAs that are available in azure and we'll also take a look at the virtual networking options that support compute including Azure virtual networks subnets peering DNS as well as VPN Gateway and express route what these last two have in common is that they support hybrid Cloud connectivity they connect our on premises data center to Microsoft Azure and we'll take a look at public and private endpoints and again you notice that describe and Define are the verbs here so it's really just high level familiarity so we're going to start with a look at our VM compute options including Azure VMS Azure container apps Azure kubernetes service Azure virtual desktop and Azure container instance technically containers are smaller than VMS multiple containers run on a VM but the VM is the container host so at the end of the day these are all VM compute options of fashion let's start with Azure VMS which are server virtualization it's compute on demand without the need for Hardware purchase and there are a couple of variations you'll want to be familiar with the first of which are virtual machine scale sets so VM scale sets allow you to create and manage a group of identical load balanced VMS the number of VM instances can actually automatically increase or decrease in response to demand based based on a schedule and because it says based on a schedule that tips us off that the focus here is scale or scalability and capacity rather than elasticity which would focus on rapid scale and then we have virtual machine availability sets which help build a more resilient highly available environment by staggering VM updates and ensuring varied power and network connectivity so the focus of availability sheds is resiliency availability and one can certainly argue that load balanced VMS in a group also help us with availability but that's not exactly the focus there so you can see how these two are complimentary and their purpose is baked into their name virtual machine scale sets focus on scale while availability sets focus on resiliency on availability and availability sets focus on that availability through two mechanisms fault domains and update domains and you'll want to be prepared to describe the difference between the two for for the exam so let's take a quick look starting with update domains which allow you to apply updates while knowing that only one update domain grouping will be offline at any given time and then we have fault domains which group our VMS by Common power source and network switch by default an availability set is going to split your VMS across up to three fault domains continuing with our compute options we have Azure virtual desktop which is a desktop app virtualization service that runs in Azure functionally the service enables it Pros to create Windows 10 and windows 11 virtual desktops in Azure in fact if you get a question on the exam that mentions vdi or virtual desktop INF structure Azure virtual desktop is almost certainly going to be your answer next in our compute options is azure container instance which runs Docker containers on demand in a managed serverless Azure environment and in fact containers on demand is one of the key elements you want to remember for the exam the other is that this solution is great for any scenario that can operate in isolated containers without orchestration now for organizations that need greater functionality including orchestration they would move to Azure kubernetes service which is a hosted kubernetes service where Azure handles the critical tasks like Health monitoring and maintenance for you you basically pay for the agent nodes within your clusters but not for the Masters the management cluster that's free in the free tier now if you'd like a financially backed SLA then you pay a few cents per hour for cluster management that's what you do for a production scenario and this addition of a standard tier is a fairly recent development in the Azure world I'm not sure if it will show up on the exam but I wanted to call out that wrinkle just in case it does the syllabus also mentions that you should be aware of the components required in a virtual machine so in an Azure VM you need a virtual dis you need a network for that VM to connect to so it can communicate you're going to need a network interface a virtual network adapter or a Nick as it's called a network security group which provides some network security at a port level and you may need a public IP address in certain scenarios like connecting to that VM over the internet and while the exam doesn't expect hands-on experience it's all conceptual it may help you to see this in action so we're going to take a quick look at creation of a VM in the Azure portal so you can see those VM components firsthand we'll navigate over to the Azure portal I'll click on Virtual machines in the lefthand menu and we can create a VM from scratch or I can actually select the option to create a VM with preset configurations this is Handy because then I can choose a path based on the workload type for example if I pick production it's going to default to some higher availability and performance options and if I choose Dev test it's going to take a lower route so I'll pick Dev test in fact if I change my mind and want to go from scratch I can simply skip this step but I'll continue to create a VM I have some Basics here I need to pick the subscription where I'd like to create I'll create a new Resource Group for this give it just a quick placeholder name I'll name my VM I'll pick the region where I'd like to deploy the virtual machine and then my availability option so for a Dev test scenario I'm going to pick something lower like just a single zone but I can extend that VM configuration across multiple fault domains to improve my availability in the event of problems within the regional data center security types see here we have some similar options that we'd see in an on premises scenario so I can enable secure boot a virtual TPM which I'd need for features like bit Locker so much like we'd see in configuring a Windows or Linux virtual machine in our own Data Center and I can choose from my image so my image type is going to allow me to set my operating system and you'll see here an array of Linux and windows ser and windows client operating systems and if I scroll down here you'll notice I can also pick the virtual machine size so this allows me to pick how much compute of CPU and memory I need and I'm going to see an Associated cost in each of those cases and just going across the list here you'll notice for diss I can pick my operating system disk size I can set whether I'd like standard or premium SSD I can even go back to a standard HDD so I'm getting away from the solid state to the lowest tier performance which may be okay in a Dev scenario and I can also attach some data discs you'll see down here as well if I go to networking I can assign the network to which I'd like this virtual machine to be connected I can also choose a network security group with which I'd like this virtual machines network interface to be associated with we'll actually talk about work security groups a bit later so remember this when we get to that topic you notice I have some load balancing configuration options here which would Factor if I were configuring say a VM based web server Farm if I go to management I can configure some management Behavior I'd like to enable auto shutdown something common in Dev test scenarios to make sure I'm not spending money running a machine that's only needed 8 hours a day while my devs are in the office I can conf configure my login behavior and then some monitoring options as well and once you've gone through all the tabs configured your desired options you can hit review and create it's going to bring you to a review screen and if you've missed anything it's going to flag it at the top for you so you can go back to whichever tab has that little red circle in the yex and configure whatever it is that you were missing and once you've configured all of your required settings here then you can go over and click view one more time create and you'll have a virtual machine in a matter of just a few minutes and it's just going to pop into the list here the moment it's available and our final stop in coverage of Compu and Azure is azure app service which is an HTTP based service for hosting web applications rest apis and mobile backends I think it'll be helpful for you to understand the types of applications you'd host in Azure app service so you can recognize this as the answer for some of those questions on the exam so the main four that come immediately to mind are web apps API apps web jobs and mobile apps so to clarify just a bit by web apps I mean using asp.net Java Ruby node PHP or even python running on Windows or Linux as a host OS and then API apps which would mean rest based web apis using your choice of language and framework and this includes full Swagger support and Publishing then to the Azure Marketplace if you wish that Azure Marketplace gives us a means not only to publish services to a central marketplace where they may be available for free but it's also a way for commercial solutions to be advertised to the larger Global Community whether you're just accommodating easy deployment for customers you're already engaged with or with the aim of just making your solution broadly available and searchable in that catalog next we have web jobs so web jobs allow us to run a program an executable maybe a python or node.js script commands command line batch commands Powershell or even bash which we'd often be doing in the same context as a web app API app or mobile app so it's not just isolated scripting capability it can be coordinated with other components here within the app service and then scheduled or run by a trigger potentially these are often used to run in background tasks as part of your application logic so whether that's a web app or an API app or a mobile app and then we have mobile apps we' use the app service here for mobile apps to quickly build a backend for IOS and Android apps and we canable authentication with social identity providers and push notifications execute backend logic all really common needs as you might imagine with mobile apps think of all the apps you've used on your phone where you authenticate with a social identity whether that's Microsoft Google Apple or you get push notifications from an app all solutions that we can develop on top of azure app service moving on we're going to talk about networking related services on Azure we'll talk about virtual networks virtual subnets the VPN Gateway v-net peering and express route let's talk about each of these components individually beginning with the virtual Network which is a logical representation of your network in Azure you'll often hear a virtual Network simply called A v-net and A v-net contains one or more subnets now in case you get bogged down as we go through all of these related components I'm going to try to visualize these for you at the end to help bring them all together so you can keep them straight in your head for the exam so digging into v-ets a bit further v-ets provide logical isolation and Azure dedicated to your subscription you create a dedicated private cloudon Network it's one we can securely extend to our data center with a sight tosite VPN or with express route for that matter which was then create a hybrid Cloud but VMS and different v-ets cannot communicate by default so remember I said a virtual Network creates isolation so if I have virtual Network a and virtual Network B we cannot communicate between those two by default there are a couple of ways we can change that and I'll touch on connectivity between v-ets more in a minute so let's look at subnets so subnets segment the address space of a v-net to create sub networks so basically we're carving up our virtual Network IP range into smaller blocks which are the subnets that would allow us to deploy specific resources into their own subnets it's quite common we'll see say all databases and database servers deployed to a specific subnet and application servers deployed into their own subnet so that's what we'd call Network segmentation and when you have all resources of a given type in a specific specific subnet it makes controlling access in and out of that subnet a bit simpler because for example if you have all of your database instances in a subnet they're generally going to have similar Port requirements if you have many of the same resource types such as several database instances of the same platform like Microsoft SQL maybe it's MySQL maybe it's postgress you're going to have fewer rules on your Network Security Group in that case now this this can affect outbound access and routing traffic between resources now remember VMS and different subnets within a virtual Network can communicate by default so again I'll visualize these boundaries for you in just a moment now moving on we want to talk about the virtual Network or VPN Gateway a virtual Network Gateway sends encrypted traffic between an Azure v-net and an on premises location over the Internet remember this is a core component of the hybrid cloud model and sight tosite VPN traffic does traverse the internet is it secure of course it's encrypted but it's traversing the internet so that does add a small degree of uncertainty as one might imagine there's no one organization that has full control over the internet but it also calls attention to the importance of our selections of azure regions and region pairs we want to have an azure region that we work with that's physically proximate to our organization and or our user base whenever possible then we have v-net peering so v-net peering enables seamless connection between two or more virtual networks in Azure and once you've established that peering relationship the two v-ets then function as a single Network in terms of connectivity remember I mentioned resources in different v-ets cannnot communicate by default there there's a level of isolation there and vnet peering bridges that Gap another way we can bridge that Gap incidentally would be to use a VPN connection between those two v-ets I'll remind you of that when we look at the visualization of virtual networks and the related components let's talk for a moment about express route express route extends your on premises networks into Azure over a private connection with the help of a connectivity provider a network provider really and the traffic does not Traverse the internet which is an important distinction from a sight tosite VPN it means latency is generally going to be less the control is greater the security is a step higher because it's all private connectivity and for name resolution we have Azure DNS which is a hosting service for DNS domains that provides name resolution using Microsoft Azure infrastructure for the exam remember that Azure DNS can provide both internal and external DNS by internal I mean you can resolve your internal DNS domains that you're not exposing to endpoints on the internet and external DNS for domains that need to be resolvable outside of your network by entities outside of your organization as would be the case for a corporate website for example and the final Concepts I'd like to introduce you to in the network discussion are are private and public endpoints we have the service endpoint which provides a way to lock down access to all instances of a p service in a v-net and a service endpoint would be accessible from the public internet a private endpoint grants access to a specific instance of a resource of a p service in your v-net on a private IP address it enables access from an on premises location without a public endpoint these are the key aspects I think you should remain aware of for the exam now to make sure these concepts are crystal clear in your mind for the exam I want to explore these with you visually for just a moment so I have a virtual Network in Azure this is my Azure v-net the 10100 16bit net mask big block of addresses I could certainly divide that into multiple subnet and over here I have another Azure v-net this one has some virtual machines in it be those servers or clients and we remember that the endpoints in one v-net cannot communicate with the endpoints and services in another v-net they are isolated I can fix that with v-net peering so these networks are now connected so the two virtual networks function as one from a connectivity perspective and then perhaps I have my corporate data center my on premises Network I can connect my on premises networks to Azure via a site tosite VPN incidentally I could also connect one Azure vnet with another using a VPN but we typically don't do that v-net peering tends to be faster and we have encryption down at the service level so we're not worried about it vet peering is typically how we connect networks in Azure so I could carve out some subnets in that virtual Network maybe I have a web app in one subnet I could set up a private endpoint in another subnet and use that to connect to Azure storage from on premises without the need to connect to a public endpoint over the internet and I believe that should be as deeper deeper than you can expect to go on the Azure fundamentals exam now related to networking are some network security Concepts I'd like to cover with you these used to be called out explicitly in the syllabus they were dropped out in the latest revision but they are fundamental and I don't want to rule out the possibility that they might appear in the exam we certainly hear one or more of them at least mentioned in passing with other topics we're going to touch on defense in depth the network security group or NSG for short Azure firewall and Azure DDOS let's start with defense and depth which is not an Azure service at all but a security principle everyone should be familiar with defense in depth says a layered approach that does not rely on one method to completely protect your environment is best no security control is perfect so if we fail to stop the attacker say at the firewall perhaps we block the attacker on the endpoint with extended detection and response technology now network security group is something I mentioned earlier when we were talking about Azure virtual machines so a network security group contains security rules that allow or deny inbound Network traffic to or outbound Network traffic from several types of azure resources for each rule you can specify a source and destination port and protocol and we can apply a network security group to a subnet or a network adapter or actually both most commonly we see network security groups applied to a subnet but remember a network security group gives us allow or deny capability for inbound and outbound traffic sounds a lot like a firewall right it actually looks a lot like a firewall when you look at its rules and I'll show you that in just a moment and again it can be applied to a subnet or a network adapter but just to make sure you're crystal clear on the concept and how it protects a VM let's go have a look at a network security group in the Azure portal I'll navigate to the Azure portal and I'll click on network security groups over in the menu on the left here and we'll look at an existing Network Security Group I'm going to look at my backend Network Security Group here which protects my database here and you'll notice that the list of rules here looks very much like a firewall I see inbound security rules I see outbound security rules and I can configure a network security group to be associated with individual network interfaces on Virtual machines for example or I can associate a network security group with an entire subnet so for example maybe I've used segmentation to put all of my datab base servers all of my database VMS in a single subnet I could configure the rules one time in a network security group and apply it to that entire subnet and we'll take a look at inbound security rules and you'll notice here that the rules are prioritized and the general idea here is that the engine is looking for a match and if no match is found the last rule is deny all inbound much like you'd see on a typical firewall rule list and I'll click on ADD so we can look at an bound security rule adding a new rule and some of the flexibility you have here you see I can configure my port ranges from any port to very specific I can configure my destination from the very broad any down to specific IP addresses or IP ranges and you notice there's a helper in the field there to guide me on the format that it's expecting and for service I can leave this at custom and configure my port range and my protocols from scratch or I can select from a very long list of common protocols for which Microsoft will do some of the configuration for me so if I choose Microsoft SQL for example it's going to select the default port for me automatically the destination being 1433 TCP protocol I'm creating an allow rule generally speaking and I'll switch that over to RDP remote desktop protocol and you see the port changes to 3389 the default port for the RDP protocol I can give my rule an intuitive name and a description set my priority and then when I'm creating new subnets or new virtual machines I can attach that NSG or associate it to the network interface on a VM or a subnet so I hope that was helpful for just securing that Concept in your mind so moving on let's talk about Azure firewall which is a managed cloud-based network security service that protects your Azure virtual network resources so Azure firewall is a fully stateful firewall is a service with built-in High availability and unrestricted Cloud scalability so firewall is a service we don't have to worry about managing appliances of any sort and the availability and scalability are built in we don't need to specify the number of instances the service will scale to meet our need s automatically and like many Azure Services it comes in tiers with Azure firewall we have basic standard and premium you don't need to worry about the details of the service on a tiered basis just wanted to make sure you have basic awareness and the last service I wanted to talk to you about from a security perspective was Azure DDOS which provides protection from as the name implies distributed denial of service attacks the standard tier of azure DDOS provides provides enhanced DDOS mitigation features to defend against distributed denial of service attacks and that standard tier all flow includes enhanced logging alerting and Telemetry that's not included in the free basic tier which is actually present in your Azure subscriptions by default you don't have to do anything to enable that Azure DDOS basic functionality it's really there providing a layer of protection for all of your azure INF structure and services by default and that's a wrap on Section 2.2 which brings us to section 2.3 describe Azure storage services so topics here include compare Azure storage Services describe storage tiers describe redundancy options and describe storage account options and storage types you'll also be expected to identify options for moving files including a copy asure storage EXP explor and Azure file sync so we'll touch on the basic features of each so you can easily identify the right tool for a use case and finally describe migration options including Azure migrate and Azure data box and we're going to start with a look at the most commonly used storage types which would include blob storage disk storage and file storage and for the exam I also want to talk to you about storage tiers and for the exam you're just focused on the key characteristics of each and where they fit to make sure you can pick the right option on those exam questions we'll begin with blob storage which is storage optimized for storing massive amounts of unstructured data which raises another question what exactly is unstructured data so let's take a quick sidebar because you'll need to know this concept for the exam specifically unstructured data is data that cannot be contained in a row column database like Microsoft SQL and it does not have an Associated data model good examples here would include images video files social media post unstructured and then we have structured data which is data contained in rows and columns in a structured database like an Excel spreadsheet Microsoft SQL MySQL postgressql bearing in mind you're not going to get questions directly about un structured versus structured data but you do need to understand the difference between the two for questions on Concepts like blob storage next up we have file storage which is fully managed file shares in Azure accessible via SMB or NFS SMB is how we access files on a Windows system quite typically and NFS is a rough equivalent in the Linux World unique in form versus SMB but similar in function next up is disk storage Azure managed discs are Block Level storage volumes that are managed by Azure and used with Azure VMS and do pay special attention to the areas I call out in bold type and with the highlighter these are going to be helpful to you on exam day two other types of storage we need to touch on include Azure table storage and Q storage so let's start with table storage which is a service that stores structured nosql data and Azure including a schema less key attribute store so that differs from a relational database where there'll be a schema what you want to focus on here is structured no SQL data and then we have q storage which is a service for storing large numbers of messages accessible from anywhere via authenticated HTTP or https calls in production we should be using https of course because that's encrypted next we're going to dig into storage tiers and for purposes of our discussion here we're going to look at these side by side so you understand how they compare relative to one another so with storage tiers we have hot cool cold and archive access tiers to store blob object data in a costeffective way and you can use life cycle management policy to automate your tiers but where we want to focus is on their relative cost and performance so we'll start with the cost to store data it's going to be least expensive in archive and then going upward in expense cold cool and hot so when we're storing data that we'd like to access frequently with best performance the storage is going to be most expensive in that hot tier now now when we talk about access cost the reverse is true because the assumption is as we move from hot into cool cold and archive our need to access that data is going to be less and less over time and that we will also be more flexible in the performance of that retrieval so let's take a look at these so starting with archive that's an offline tier optimized for storing data that is is rarely accessed and has flexible latency requirements on the order of hours this is going to have the lowest storage cost but High access cost and you're not going to get to it fast right that's what they mean by flexible latency and then we have the cold tier which is an online tier optimized for storing data that is rarely accessed or modified but still requires fast retrieval so lower storage cost and higher access costs compared compared to the cool tier which is an online tier optimized for storing data that is infrequently accessed or modified so this has lower storage cost and higher access cost compared to the hot tier which is an online tier optimized for storing data that is accessed or modified frequently highest storage cost lowest access cost and remember that key differentiator about archive it's offline and it's also a tier with flexible latency requirements if we're using it so we're not pulling that data back fast and looking in the middle tiers there especially you might ask yourself when would I use cool versus cold they look pretty similar right well there are a couple of things we can focus on but one is the time of storage so with archive Microsoft says this data should be stored for a minimum of 180 days so we're getting low stor storage cost with a longer commitment there essentially cold should be stored a minimum of 90 days cool stored a minimum of 30 days and hot data is just what it sounds like that data that we are accessing day to day hour to hour minute to minute and more frequently even now let's talk through storage redundancy options and there are four options you should definitely know for the exam the first is lrs locally redundant storage which copy your data synchronously three times within a single physical location in the primary region then we have zrs Zone redundant storage which copies your data synchronously across three Azure availability zones in the primary region so that gives us the benefit of availability zones so some of that physical protection we talked about a bit earlier in the session so with lrs and zrs redundancy is limited to the the primary region only so this is not going to help us in the case of a disaster that takes out a full Azure region and that's where these next two options come into play first there's Geo redundant storage or GRS which copies your data synchronously three times within a single physical location in the primary region using locally redundant storage but then it copies it asynchronously to a single physical location in the secondary region three copies again using lrs so you've got three copies using lrs in the primary region and three more in a single physical location of the secondary region and then we have gzrs geozone redundant storage which copies your data synchronously three times within the primary region using zrs Zone redundant storage so we're gaining the benefits of that secondary region but we're also gaining the physical protections of availability zones within each of these regions so with both GRS and gzrs our redundancy is extended to the secondary region but it's that extra physical protection of the availability zones that makes a difference so with GRS we're copying within a single physical location where with gzrs we're copying within the primary region using Zone redundant storage and that that's why Microsoft recommends gzrs for apps requiring High availability we've covered a lot of ground related to storage here which is why I'd like to give you a quick tour of azure Storage security and redundancy features to lock this knowledge in for exam day we'll navigate to the Azure portal I'll click on storage accounts over here in the menu on the left and I'll create a new storage account so you get a sense of the configurable options in terms of security and redundancy and for the basics I'll select my subscription give the storage account a name choose the region where I'd like to deploy the storage account select my level of performance understanding that if I pick that premium option over standard premium is going to come at an additional cost but will definitely provide Advantage for low latency workloads like production databases for example and I can then choose my level of redundancy and here I see those four options we looked at just a moment ago and they're listed in increasing order of redundancy beginning with locally redundant storage on through Geo redundant Zone redundant and then ultimately geozone redundant storage and going to the advanced column here I have a security section that lets me get all the way down to the TLs version that I require and scrolling down here some capability to configure the available protocols as well as the scope of access and copy operations when I look at my networking you notice by default here it says enable Public Access from all networks I can bring this down to disabling Public Access and using private access that would be via those private endpoints we talked about a bit earlier in this session and looking down to network routing I can configure whether or not traffic in and out of the this storage account is routed across the Microsoft backbone or the internet so definitely capability to reduce my attack surface my visibility my privacy and get a bit more control over performance and then we'll go over to data protection and here I can configure some recoverability features point and time restore some soft delete capabilties so when I delete something it's actually available for Recovery I'll go over to the encryption Tab and you'll see see here I can choose whether I let Microsoft manage my keys or I manage the keys myself in Regulatory Compliance scenarios we'll often see customers select that option to manage their own keys in many cases because it's required for specific types of sensitive data and you even see an infrastructure encryption option here which encrypts the storage account data at not only at rest but adds a second layer of encryption to your storage accounts data in Azure all of your storage accounts are encrypted by default this is really what we call Double encryption more or less and that's a quick look certainly more than you'll need for the exam but but a lot of configurability there in terms of redundancy security and recoverability now we're going to talk through some file movement and data migration options so the focus here is largely Azure storage and the first tool is a copy this is a command line utility you can use to copy blobs or files to and from your storage account and then we have Azure storage Explorer this is a standalone app that provides a graphical interface to manage files and blobs in your Azure storage account however it does support file and blob upload download or moving files between accounts so as you can see a copy a bit more focused and perhaps more suitable for certain automation code or scripting scenarios and finally we have Azure file sync which is a tool that lets you centralize your file shares in Azure files and keep the flexibility performance and compatibility of a Windows file server really supporting familiar functionality in a new place and once installed on a local Windows Server it will automatically stay bidirectionally synced with your files in Azure thus the name sync it will automatically stay by directionally synced with your files in Azure and I've called out the key aspects of each of these tools as you see here to help you identify or eliminate each as an answer for an exam question next up we have Azure migration options beginning with Azure migrate so Microsoft calls this a service that provides simplified migration modernization and optimization for Azure it includes all premigration steps like discover of your workloads assessment of the workloads right sizing the services and Azure you're moving the workloads to but Azure migrate applies to more than just storage it's a hub of services and tools designed to detect analyze and facilitate the migration of any type of workload to Azure and finally we have Azure data box which is a Cloud solution that lets you send terabytes of data into and out of aure in a quick inexpensive and reliable way essentially Microsoft sends customers a proprietary data box storage device this is going to be ideally suited for transfer of data sizes larger than 40 terabytes especially in scenarios with limited or no network connectivity and that brings us to 2.4 describe Azure identity access and security Topics in 2.4 and include describe directory services in Azure including Microsoft entra ID and Microsoft entra domain Services describe authentication methods in Azure including single sign on multiactor authentication and passwordless describe external identities in Azure including business to business and business to consumer or B2B and B to C for short describe conditional access in entra ID role-based Access Control zero trust defense in depth and Microsoft Defender for cloud now in this list zero trust is a concept not a Microsoft product and defense inth is a model that supports zero trust again a widely used model not a Microsoft product and if you're not familiar with the name entra ID that's the rename of azure ad simply a rebranding that happened some time ago and again you see the describe verb throughout no expectation of hands-on experience here it's all about knowledge of the concept or knowledge of the purpose or function of a specific service or solution so let's dig into identity and access we'll start with authn and off Z so authn is short for authentication this is the process of proving that you are who you say you are and then there's authorization or o z this is the Act of granting an authenticated party permission to do something so in the world of identity and access authentication is proving your identity and then authorization is the granting of access next we have entra ID which is Microsoft's cloud-based identity and access management service that helps your employees sign in and access resources including internal resources like apps on your corporate Network or custom Cloud apps but also external resources like Microsoft 365 the Azure portal and many SAS apps and not just Microsoft SAS apps but third parties that support Andra ID for identity and access management now in case you don't have exposure I want to show you entra ID I'll take you on a quick tour of the user and group functions there so you have a sense of what functionality is available in entra ID even if you don't have hands-on experience we'll navigate to the Microsoft entra admin Center enter at ent. microsoft.com and under identity I will find both users and groups so we'll start with a quick look at users and I'm presented with the full list of users in my directory see I have access to some simple operations at the top level here I can look at the signin logs for one or more users I can perform password resets from right here you'll see a bulk operations option here which allows me to perform operations on many users at once from a file so if I drill down into the properties of a specific user here you see I have some of those same menu items around logs and so forth I can look at the assigned roles for this user in my entra tenant here and if I click on ADD assignments you'll see I have a list of all the roles that will bestow permissions onto this user and for each role there is a description that tells me clearly what permissions that role would bestow I can add a user to groups and we'll talk about groups in just a moment and you'll see here licensing as well but I have full visibility into my user and I can configure all the details of this user's experience in my entra ID tenant here including getting into organizationally specific information so I can add job information I can put my org chart in here so who does Adele in this case report to contact info and you even see Parental controls which can be handy in scenarios where miners are using entra ID as would be the case in the education space so let's move over to groups and there's really Advanced group functionality in enter ID and when I create groups I can create a security group or what we call a Microsoft 365 Group which I can use for security functions but it automatically creates some additional resources to facilitate EAS easy collaboration so that Microsoft 365 group type automatically creates some site and team information providing a basic set of collaboration resources for all the members of this group and when I say Advanced functionality you'll notice down here I can manually assign users to this group with the assigned membership type or I can make this a dynamic group where I automatically populate the group based on certain properties of my users or properties of my devices if I'm creating a device group and you'll even notice that I can assign Microsoft entra roles to this group so users who are members of this group would then automatically be assigned the permissions bestowed by one or more entra roles tremendous amount of capability here we could go on for hours but that gives you a basic idea and a bit more than you even need to know for the exam and the syllabus calls out authentication methods in Azure specifically we see sing single sign on MFA and conditional access called out so starting with single sign on single sign on simply means a user doesn't have to sign into every application they use the user logs in once and that credential is used and reused for multiple apps single sign on based authentication systems are often called modern authentication next we have multifactor authentication or MFA for short MFA and entra ID works by requiring two or more of the following authentication methods something you know like a pin or a password something you have like a trusted device such as your mobile phone and we'll talk about how Microsoft helps us leverage that smartphone in a moment and then something you are biometric authentication like your thumb print or face ID so let's go a bit deeper on those authentication methods so at the most basic level we have have the password when we think about multiactor authentication then we have a second Factor such as SMS or even voice verification SMS is considered to be amongst the weakest second factors and is not recommended so Microsoft offers other additional factors such as the Microsoft authenticator app as well as support for software and Hardware oath tokens let's dig into both of these a bit further so the Microsoft authenticator app can actually be used as a primary form of authentication to sign into any entra ID account it can also be used as an additional verification a secondary or additional authentication Factor during self-service password reset or enter ID MFA events now to use the Microsoft authenticator a user has to download the phone app and register their entra ID account that app is available for both Android and iOS but when I say additional verification we're talking about second factor of authentication in an MFA sequence now what is an oath token and how does it work oath or open authentication is an open standard that specifies how time-based one-time password codes are generated software oath tokens are typically applications entra ID generates the secret key or seed that's input into the app and used to generate each one-time password a good example of a software oath token is the Microsoft authenticator app which will generate that code that numeric code that rolls over every few seconds and then we have Hardware oath tokens which are small Hardware devices that look like a key fob that displays a code that refreshes every 30 or 60 seconds with the secret key or seed pre-programmed and continuing on with our authentication methods we then have password list which can be implemented with Windows hello the Microsoft authenticator app or a PH2 security key and we've talked about that authenticator app so let's have a look at pho2 and talk about how this works now PH2 uses public key or asymmetric cryptography for user authentication that's a public private key pair the user has a physical device that works via USB or NFC and in the authentication sequence the user provides their username there's a cryptographic challenge which they answer using their PH2 key the service then verifies the response and grants access I do see PH2 out there in the real world although the authenticator app is much more common simply because it's Microsoft native everybody has it on that smartphone so it is and will continue to be pervasive and our other passwordless option is Windows hello Windows hello for business that's called in the workplace and this is an authentication feature built into Windows 10 it replaces passwords with strong two-factor authentication on on PCS and mobile devices it allows users to authenticate with a Microsoft account an active directory account an entra ID identity Provider Services or relying Party Services that support fast ID online phto V2 so if you're leveraging pho2 you can integrate that as a component of Windows hello and there are two flavors of Windows hello there's Windows hello for personal devices which uses a pin or biometric gesture and hello for business which leverages key based or certificate based authentication but remember Windows hello replaces passwords so it is thus passwordless and continuing just a bit further with Windows hello understand the problems that it solves for the exam strong passwords can be difficult to remember we've all had passwords that are so long that we're tempted to write them down for example server reaches can expose symmetric Network credentials passwords passwords are subject to replay attack something we very commonly see attempted in the Kerberos world with active directory the replay attack and users can inadvertently expose their passwords due to fishing attacks Windows hello is going to solve for all of these now let's revisit that table of our multiactor authentication methods and rate these based on quality we know password alone is bad we talked about SMS and voice as a second factor with the note that SMS is not recommended it's the weakest of the options better would be the authenticator app and the software and Hardware oath tokens and best would be going full passwordless the best password is no password at all and if you look at these methods in terms of their strength and security Windows hello the authenticator app and PH2 give us high security high usability high availability that's where we're leveraging the passwordless approach and when we look at the oath tokens and SMS Ando as our secondary Factor the security is going to be a bit less and usability and availability a bit less as well you no need to memorize this table I just wanted to give you a sense of the relative quality and security of these approaches and of course password gives us the lowest in the security now we'll shift gears and talk about external identities starting with B2B collaboration this enables external users to use their preferred identity to sign into Microsoft or other Enterprise applications whether those are SAS apps or custom developed apps for an organization and the B2B capability in entra does support both entra ID and social identities then we have B2B Direct Connect which establishes a two-way Mutual trust with another enter ID Organization for seamless collaboration so this allows a user to use the entra ID from their own organization rather than a guest identity in the remote or partner organization it's useful for heavy daily collaboration with close business partners but when it's a close business partner where we're on teams together dayto day and we don't have to switch tenants to use that guest ID it's a major win in terms of convenience and productivity it supports multiple two-way trusts so this seamless collaboration can be configured to work between more than just two Endra ID organizations and then there's business to consumer or B Toc capability which allows an organization to publish modern SAS apps or custom developed apps to Consumers and customers while using entra idb Toc for identity and access management this was called Azure ADB to C when we had azure active directory before the rebranding the entra equivalent is still in preview as of late very late 2023 The Branding is less important than understanding that there's a b Toc component here for business to Consumer scenarios it supports entra ID and social identities and in a b Toc scenario you can imagine customers would be very happy to bring their social identities like many of us do everyday to sass applications whether that's a Microsoft identity an apple identity a Google identity then we have entra ID multi-tenant organization where we can collaborate with multiple tenants in a single entra ID organization via cross tenant synchronization this is useful for conglomerates mergers and Acquisitions multicloud environments organizations that have department created tenants test and staging tenants where you need that permanent relationship for for ease of use in a multi-tenant environment really going beyond the B2B collaboration that we talked about in the previous scenario and a powerful component in our access management strategy is conditional access in entra ID which is used to bring signals together to make decisions and enforce organizational policies based on the criteria around authentication and access requests so to visual ize that conditional access will look at the signals which would be the user the user's location are they coming from a managed device using an approved application are there any risk indicators around that user there's a risk component in entra ID called identity protection anyway those signals are verified on every access attempt and conditional access then makes a decision to allow access to to block access or perhaps require a second Factor multiactor authentication depending on how we have configured the conditional access policy and if the request meets all the criteria of our policy the user then gains access to apps and data very powerful feature you'll use every week of your life if you become an administrator who works with Andra ID I'll actually give you a quick tour of conditional access in just a moment let's talk for a moment about Azure arbac arbac incidentally stands for role-based Access Control and Azure arbac helps you manage who has access to Azure resources what they can do with those resources and which resource areas they have access to it's built on Azure resource manager and it provides fine grained access management of azure resources it's one element of implementing least privilege but flashing back to the higher hierarchy we can grant permissions role-based access control from the very highest level of the hierarchy all the way down to an individual resource if we so desire resource types resource types in a specific subscription that's why they call it fine grained Access Control you need to be familiar with zero trust for the exam so we'll start with the three principles of zero trust which include verify explicitly so we always authenticate and authorized based on all available data points and when I say data points think back to the signals we talked about in conditional access use least privilege access so we limit user access with just in time and just enough access with risk-based adaptive policies and data protection and our third principle is assume breach we segment our Network and access to minimize the blast radius in the event of a breach if we think about that from an application perspective if I only allow my front-end application servers to get to the backend databases on the network and I block other subnets I'm segmenting my network in a way that minimizes the risk to my business meaning if an enduser workstation is compromised I'm reducing the risk to my business critical assets my data and verify end to end encryption and use analytics to get visibility drop threat protection and improve defenses we're going to look at zero trust through a couple of different lenses together to make sure you're comfortable for the exam and next I want to compare zero trust to the traditional architecture which involved a network security perimeter that surrounded an organization essentially everything outside the perimeter was untrusted but everything inside that Network perimeter was more or less trusted by default compare that to zero trust architecture which is Security based on identity not the perimeter on the signals for our devices for our cloud services there's no Assumption of trust here essentially in traditional architecture we take more of a trust but verify approach and in zero trust we must prove everything identity trusted device that is also healthy and compliant cloud services that are authorized by our organization that user risk based on recent activities is within our reasonable limits so in zero trust we're looking at an array of aspects so strong authentication and authorization around identity but also Network segmentation in the hybrid Cloud Model that's so pervasive today making sure that we minimize the blast radius and approach for personal devices standards for how we control access of our vendors and contractors who need to work with with our sensitive resources a mobile device management strategy a process for approving for authorizing applications that are suitable for business use and implementing data security and enabling our employees to work remotely the work from home model is very common today but trust must be earned at every step compliance must be proven so for the exam remember with zero trust no entity is trusted by default and it's based on the three principles of assume breach verify explicitly and least privilege access all of which you should remember for the exam and I want to take just a minute to give you some practical easy to remember guidance on zero trust around identities devices apps data infrastructure and network so with identity identity should be explicitly verified with strong authentication using all available data points again think the signals we talked about in conditional access users should be granted least privilege access but strong authentication and least privilege access Common Sense easy to remember guidance right devices should be monitored for health and compliance and updated when necessary Windows is patched our mobile devices have a recent version of Android and iOS they're compliant with any corporate policies were monitor in for only approved apps should be allowed to access company data and application permissions should be managed our company data should be classified labeled and encrypted based on its attributes both at rest and in motion and our infrastructure version configuration and access should be managed Telemetry should be used to detect anomalous activity unusual activity that may be indicative of attack and networks should be segmented to limit data excess and reduce threat exposure reducing the blast radius is how I phrased that earlier and realtime threat protection end to end encryption monitoring and analytic should be employed to make sure that we're identifying and responding to threats in real time in a largely automated fashion that's where Next Generation firewalls like Azure firewall and intrusion prevention are going to be helpful but notice the layered approach the defense and depth that's present in zero trust security we're layering Security in across our identities devices apps data infrastructure and our Network we don't have to catch those attacks at every layer just before it becomes a breach and again defense and depth a layered approach that does not rely on any one method to completely protect our environment again just a concept not a product to look at it another way visually if data sensitive data is our important business asset we have application security only allowing authorized applications to access our data and managing the access to those applications making sure that our devices are managed and compliant our network is segmented and secured we still have that perimeter defense with a firewall but we have an identity focused approach that is using strong authentication and authorization on every request and appropriate physical security where physical security is our responsibility such as at our own office and data center facilities before we get too far away from it I want to give you a quick tour of conditional access and entra ID so you can get a look at at how we can bring all of these elements together in a single policy to enforce secure appropriately limited resource access we'll browse to the Microsoft Andra admin Center at andre. microsoft.com and under the protection menu I'll find conditional access and then policies where I can see my existing conditional access policies or create new ones and I'll click into an existing policy here just so you can get a sense of some of the configurable parameters around the conditions of access for example I can configure which users this will apply to ranging from specific users and groups to all users and even if I select all users I have the option to exclude users and typically we would exclude our emergency access accounts so if we have a problem with a conditional access policy we don't accidentally lock ourselves out I can configure the resource I'm protecting in this case it's exchange online and and then I can configure the conditions of access so if I'm using identity protection in inra ID I can configure differing Behavior based on risk for example here I can say that I want to enforce this policy in high risk scenarios if I have a user that's been showing risky Behavior or risky sign-ins I can set my level that I'm comfortable with and then when it comes to device platforms you'll see I can configure this to enforce the policy settings on specific device platforms maybe I only want to do this in Windows or Mac OS scenarios or maybe only mobile scenarios full flexibility there to configure that behavior and I can configure locations so the policy behaves differently based on the location of the user quite common that we'll configure conditional access policies so when a user is logging in from a known Loc a corporate office with a trusted managed device that is compliant and healthy we won't apply a second factor of authentication every time and you'll notice here I can configure all the trusted locations I can exclude certain locations if I wish maybe I have Branch offices where contractors come in and I'd like to configure Behavior differently there and my client apps in this case for exchange online requiring a compliant device you'll notice that I'm enforcing this Behavior whether they're accessing exchange from a browser a mobile app or a desktop client and then I can go down here to my access controls and configure this Behavior so I want to Grant access but I'm requiring the device has to be marked as compliant which means it's managed and healthy and you'll notice I have multiple settings here I could require MFA I can require a certain strength of authentication I can require that the device is hybrid joined and you'll notice that I have the option to flip the switch to require all of the controls I select or any one of these depending on my use case really powerful functionality for controlling access to our sensitive resources and to round out domain 2 I want to touch on Microsoft Defender for cloud this is a unified infrastructure security management system that strengthens the security posture of your cloud and on premises data data centers some of that comes for free some does come in a premium tier it provides security guidance for compute data network storage app and other cloud services and it includes support for both Azure and on premises workloads as I mentioned but also other public clouds like AWS and Google Cloud platform so the key takeaways here in terms of infrastructure and support cloud nonrem data centers compute data network storage app and it is multicloud capable and to ensure you really have a good handle on what Defender for cloud is capable of for exam day I'm going to take you on a quick tour of Microsoft Defender for cloud I'll browse over to the Azure portal and here I can search for or click on Microsoft Defender for cloud which brings me to my Defender for cloud homepage and you'll notice here I have a menu with all of the offerings and when I get to the Cloud security category you see security posture regulatory compliant data security I can work with Azure firewall manager from here as well as my devop security Now if I pop over here to these cards you'll notice security posture shows not only Azure but AWS and Google Cloud platform so I can monitor resources in a multicloud configuration if I like and incidentally in your on premises data center as well if you're a hybrid Cloud organization and this comes with a free and a standard standard tier and even in the free tier we're going to get a lot of functionality with minimal effort just by enabling Defender for cloud and you'll notice here that it's assessed over a 100 resources in my lab it has active recommendations giving me guidance on improvements I can make to better secure my environment and you'll notice here Regulatory Compliance in fact if I click here you'll see under compliance offerings the full range of compliance offerings for which Defender for can help us to monitor our compliance and you see popular offerings in here like Hippa hytrust your healthcare related here in the states many ISO standards PCI DSS which is for credit card processors and the sock audits which are commonly used by large scale service providers to demonstrate compliance for security for their customers and down the other axis here you'll see the Azure services and they comp iance as it relates to these standards and if I just go back here we'll take a look at workload protections and if we click into here there's definitely some Advanced functionality here that will require a bit of configuration and in some cases a move to the standard tier but you'll notice here that we can monitor a range of workloads in Azure not just my servers my databases my paths components like app service the storage tier my key volt instances containers my network file Integrity monitoring I can configure just in time VM access so more granular least privilege so lot of monitoring functionality here in Defender for cloud that's everything you'll need for exam day and then some so we'll leave it right there for now and that's a wrap for domain 2 so we'll move on to domain three which is describe Azure management and governance and in domain three we'll talk through cost Management in Azure features and tools in Azure for governance and compliance features and tools for managing and deploying Azure resources and monitoring Tools in Azure again noticing that describe is the verb in every case so in 3.1 we'll take a look at factors that can affect costs and Azure we'll compare the pricing calculator with the total cost of ownership calculator to understand the use case for each we'll look at the cost management capabilities in Azure and the purpose of tags so let's start with potential cost impacts there are several factors that can affect Azure cost including resource types Services locations and our Network Ingress and egress traffic and our specific needs for managing that traffic in terms of reducing cost we can look at reserved instances reserved capacity the hybrid use benefit and spot pricing now I want to take you through each of these so you can understand the differences and the service types to which they apply so we'll start with reserved instances which Reserve virtual machines in advance and save up to 72% compared to pay as you go pricing with a one-year or a three-year commitment so essentially you'll get some savings with a one-year commitment you'll get greater savings with a three-year commitment and then we have reserved capacity in which we can achieve significant savings on Azure SQL database Cosmos DB synapse analytics and Azure cash for redus the discount is product specific and notice that VMS aren't mentioned here basically it enables us to more easily manage cost across both predictable and variable workloads and help optimize our budgeting and forecasting and like reserved instances reserved Capac capacity also includes 1ear and threeyear options and the same premise also applies to those options you save a certain amount with a one-ear option you'll save more with the three-year option you're making a commitment next we have the hybrid use benefit which is a licensing benefit that helps you to significantly reduce the cost of running your workloads in the cloud more specifically it lets you use your on premises software Assurance enabled Windows server and SQL server licenses on Azure in fact it applies to licenses for Windows Server SQL Server red hat and sus Linux but the key qualifier here is software Assurance enabled when you buy those licenses the software Assurance is an additional cost software Assurance protection gives you some new product version rights some support rights and some license Mobility rights such as leveraging that license in Azure and and then we have finally the spot pricing which gives us access to unused Azure compute capacity at deep discounts up to 90% compared to pay as you go prices but because it's leveraging unused Azure compute capacity should that capacity become necessary for a production workload for someone paying for it prepare to have your workload interrupted so spot pricing is going to be great for workloads that can be interrupted without harm non-mission critical work of any variety but no this really only applies to Azure VMS so reserved instances hybrid use benefit and spot pricing apply to VMS Reserve capacity applies to those other services I mentioned all PA services so on the subject of planning and managing cost we're going to shift our Focus to tools that can help us in planning and management to cost beginning with the pricing calculator this is an interactive calculator that allows you to estimate expected monthly Azure costs you can choose regions Services options SKS if I'm picking a virtual machine for example I can tell the calculator I'd like to deploy this in the US central region I'd like to have premium storage I'd like this VM skew and if I'd like multiple instances I can tell it how many instances of that service and that configuration I need hit the button and the pricing calculator gives me a cost so naturally this is a tool you would use before you deploy and next we have the total cost of ownership calculator which is a tool that helps estimate cost savings you can achieve by migrating application workloads to Azure and that's the key differentiator saving costs by migrating our on premises application workloads to Azure and it allows you to compare the TCO of different Azure services and regions and provides a detailed breakdown of cost of components and potential savings and it's the potential savings that tips you off that this is a tool you would use before deployment so the pricing calculator and the TCO calculator really fall into the planning area and then we have our last option here which is azure cost management this is a suite of tools provided by Microsoft that help you analiz manage and optimize cost of your workloads we're really talking about running workloads here so this is a tool you use after deployment to optimize costs so this Falls more into the managing cost category and to wrap up section 3.1 let's talk about the function of azure tags a tag is a name and value pair used to logically organize Azure resources resource groups and subscriptions into a logical taxonomy a taxonomy in this case is a way of classifying or grouping or sorting something something so tags can be used on the basis of applying business policies or tracking costs you can also enforce tagging rules with Azure policies even preventing resources from being deployed if they are not properly tagged examples of common tags might include owner cost center the application or service the environment you know is it Dev test prod you could tag it with an SLA that's a wrap on Section 3.1 which brings us to 3.2 describe features and tools in Azure for governance and compliance this is a quick one so here we'll talk about the purpose of Microsoft purview in Azure the purpose of azure policy and the function of resource locks we'll begin with Microsoft purview purview is a unified data governance service that helps organizations manage and govern their on premises multicloud and SAS data it automates data Discovery by providing data scanning and classification for assets across the organization's data estate so whether that's on Prem in Azure in another cloud in a SAS app perview can get its hooks into many different areas to help us to identify classify and secure our data really about as much as you need to know for the exam so moving on let's talk about the basics of azure governance specifically I want to dig into Azure policy we'll talk about the difference between policy an initiative and a blueprint you can really expect the focus to be on policy but I like to call out all three just in case you get some mention in the exam and a policy is a definition of the conditions you want to control or govern in Azure an initiative is a collection of azure policy definitions that are grouped together toward a specific goal so a policy is really about enforcing your will if that's putting guard rails on virtual machine deployment for example to only allow certain VM SKS and only to certain regions but you can imagine in many cases I probably have multiple policies I want to apply for multiple settings around a deployment scenario and that's where an initiative can come in handy I can collect those policy definitions into a container of sorts and then we have an Azure blueprint which is a container for composing sets of Standards patterns and requirements for implementing Azure cloud services security and design when we hear of blueprint it's almost always in the context of a new environment the fundamental difference between Azure policy and an Azure blueprint is the Azure policy governs Azure resources while the blueprint is used to deploy and govern specific Solutions comprised of multiple Azure resources for blueprint though look for that phrase new environments in the question question and resource locks prevent other users in your organization from accidentally deleting or modifying critical resources the lock overrides any permissions the user might have for example if we have a critical Azure file share out there even if an administrator has permission to delete that file share a lock would prevent them from doing so it's a great way to prevent accidents in production and that brings us to section 3.3 describe features and tools for managing and deploying Azure resources the focus here ranges from uib based deployment to the command line to fully automated devops type approaches we'll take a look at the Azure portal we'll touch on the Azure Cloud shell including both the Azure CLI and Azure Powershell capability we'll talk about the purpose of azure Arc we'll look at infrastructure as code as well as Azure resource manager or arm for short and arm templates there are several options for interacting with Azure they include the Azure portal Azure Cloud shell Azure Powershell the Azure mobile app and the Azure CLI so beginning with the Azure portal this is a web-based unified console where you can manage your Azure subscriptions using a graphical UI pretty straightforward then we have the Azure Cloud shell this is an interactive authenticated browser accessible shell for managing Azure resources it's really interesting it's a browser integrated command line interface and it comes in bash and Powershell flavors I'm actually going to demo this for you hands on here in just a minute so you really get a sense of what I'm talking about there better seen than simply heard and then we have Azure Powershell this is a set of commandlets for managing Azure resources directly from the Powershell command line and Microsoft provides Azure specific modules and command Lins next we have the Azure mobile app for IOS and Android that enables managing tracking health and status and troubleshooting your Azure resources from a mobile device like a phone really optimized for the phone and then the Azure CLI the Azure command line interface a set of commands used to create and manage Azure resources to give you a sense of its full capabilities I'm going to give you a quick tour of the Azure cloudshell so I'll navigate over to the Azure portal at portal. azure.com and to launch the cloudshell I'll simply click on the little Powershell icon up here it's actually a cloud shell icon and you'll notice that the cloud shell comes up at the bottom of my screen the first time you click on that cloud shell it's going to take you through the process of setting up a storage account to store any assets related to your Cloud shell interactions but you'll notice I can still interact with the Azure portal up here in the pane above and if we look down here at the toolbar on the cloud shell and I can stretch this up if I like going to resize my window automatically I do tend to like a larger window when I'm interacting and you notice here it's says bash I'm a big Azure CLI user that's going to be the bash interface of cloudshell but if you're a Powershell user you can simply change that over to Powershell it's going to confirm and switch me over to a Powershell interface already connected to my Azure subscription with my entra ID so everything's done there and you'll notice there's some automated logging there some notific ation that come to you and now I can simply use Powershell as I normally would so I can type get space command for example and if I'd like to see everything related to Azure I could just type star Azure star use the aster there and I've got a nice list of all the commandlets I can work with so if I'm not even fully familiar with Azure Powershell really easy to get in here and get started and I can shut it off with the power button right there to restart the cloud shell so all there is to it you will definitely want to be familiar with Azure resource manager on exam day now what is azure resource manager it's the deployment and Management Service for Azure it provides a management layer that enables you to create update and delete resources in your Azure account and a common artifact we use when deploying with arm is the arm template this is a Json file that defines the infrastructure and configuration for for your project the templates use declarative syntax and they're idempotent which means you can deploy many times and get the same resources and the same state so let's clarify those two terms because they're very important in the world of devops and automated deployment so there's declarative or declarative which means that instead of defining the exact steps to be executed the ultimate state of the environment is defined so the arm template would declare we need four virtual machines they need to be deployed and attached to the production application subnet they need to have public IP addresses and created with a specific VM skew so essentially in the template we say what it is we'd like to deploy and we let arm we let the Management Service worry about how the other key characteristic of the arm deployment methodology and the arm template is that the deployment is idempotent which means you can deploy many times and get the same resources in state so for example in that deployment of four virtual machines if I were to go back and delete two of those VMS and then run another deployment with the same arm template it would create two VMS to replace the two that I deleted and if I ran the deployment yet again and it saw that there were already 4 VMS it would deploy nothing it's going to make sure that whatever end result I have declared in the arm template is in fact present in the environment arm templats are used in deployment Automation and infrastructure as code then we have Azure Arc which is a platform that extends Azure services to run applications across data centers Edge and multicloud environment so whether it's on premises Colo an edge compute scenario AWS or Google Cloud platform Arc is is providing a consistent development operations and security model to run applications on both new and existing Hardware it simplifies governance and management because it's giving us a consistent multicloud and on premises management platform a unified approach a single pane of glass if you will for deployment across all of these environments all of these platforms to say it another way way Arc extends arm capabilities to Linux and windows servers as well as kubernetes clusters on any infrastructure across on premises multicloud and the edge and when I say extends arm capabilities we talked about Azure resource manager arm being that Management Service that facilitates deployment and the arm template as an artifact we can use to automate deployment in a declarative and idempotent way we can use those templates outside of azure so pretty exciting capabilities but remember it extends Azure services to data center edge and multicloud environments I think we have all of the key phraseology and functionality here that should have you ready for anything you encounter there with regards to arc on exam day and then we have infrastructure as code which is the management of infrastructure be that networks VMS load balancers connectivity described in code so just as the same source code generates the same binary code in the infrastructure as code Model results in the same environment every time it's applied infrastructur is code is a key devops practice and it's used in conjunction with what we call cicd which is continuous integration and continuous delivery or sometimes called continuous deployment so with infrastructures code will'll automate deployment and what we call a deployment pipeline will of often use artifacts like arm templates as you learn more about Azure you'll want to get comfortable with infrastructures code cicd devops and Dev SEC Ops which are really part of daily life in the cloud and that brings us to the Final Chapter section 3.4 describe monitoring Tools in Azure here we'll take a look at Azure advisor Azure service Health Azure monitor including log analytics which is the backend data store of azure aure monitor Azure monitor alerts and application insights so let's start with Azure advisor which scans your Azure configuration and recommends changes to optimize deployments increase security and save your money really a built-in assistant of sorts designed to help you do things a bit better in Azure it analyzes the configuration of the resource deployed in Azure subscription ions it's looking at high availability it's looking at security performance and cost to try to give you options for optimizing in any of these areas next we have Azure monitor which is a service that collects monitoring Telemetry from a variety of on premises and Azure sources and allows us to monitor resources like an app VMS Our Guest operating system containers databases security network events and we can deploy an agent that allows us to leverage Azure monitor not just in Azure and on Prem but also in multicloud scenarios so I could monitor VMS in AWS or Google Cloud platform for example and Azure monitor Aggregates and stores this Telemetry in an Azure log analytics instance that's the backend data store we'll actually take a look at log analytics here in just a moment and next up we have Azure monitor alerts so alerts are proactive way to detect and address issues before they become critical problems you can create alerts on any metric or log data source in the Azure monitor data platform there are a number of alert types you've got metric alerts which would work on performance metrics log alerts activity alerts alerts around service and resource Health uh you can integrate with Prometheus and smart detection alerts the one that are not exactly self-explanatory in that list which use machine learning to detect a ales in your application and notify you of issues I don't expect for this exam you need to know the types of alerts really focus on the fact that aure monitor alerts are a proactive way to detect issues and you really have three responses here you can view alerts in the portal you can send notification such as through email or you can initiate automated responses and your automated responses would include Azure functions or runbooks in Azure automation next up is application insights which is an extension of azure monitor that provides application performance monitoring features frequently abbreviated as APM APM focuses on availability performance and usage of your web applications we generally see the use of APM focused on Mission critical production customer facing applications it enables proactive understanding of app performance and reactive review of app execution to determine root cause it really allows us to examine our application performance at a code level so a properly instrumented application in an APM scenario is going to allow us not only to identify where the fault took place but to really get down to the root cause at a code level and last but not least we have Azure service Health which notifies you about Azure service incident and plan maintenance so you can take action to mitigate downtime so Azure service health is really monitoring the services that Microsoft brings to you as part of azure and before we wrap up here I want to give you a brief introduction to Azure log analytics the backend data store for Azure Monitor and many other services in Azure so I'll navigate to the Azure portal at portal. azure.com I log in with my entra ID and I click on log analytics or search for it if I don't see it on my home screen here and that will bring me to a log analytics instance or multiple instances now I mentioned this is a backend database and the easiest way for me to demonstrate that for you is to look at the tables menu here under settings and you can see the tables that are included in this log analytics workspace nothing you need to know for the exam but I just wanted to make a tangible example for you and if I look at edit schema I can see the column colums that exist in that table so it just gives you a sense that this feels a bit like a SQL database although it is architecturally different and the query language of log analytics is custo or kql custo query language if I go to logs what I'll see are an array of sample queries and you'll see those queries here organized based on the tooling or service that we're working with like Azure monitor if we're working working on an audit function if we're working with containers databases Etc what we get here are sample queries that give us a head start and this is particularly handy if you're not already familiar with custo and if I just load that into the editor you can get a sense of the query language here and you see the comments up here with the double for slash not unlike some programming languages but kql is to log analytics as transactsql or tsql is is to Microsoft SQL databases and what you will find throughout Azure is Microsoft makes it very easy for you to send data into log analytics workspaces into a central location so you can then work with it in whatever context is appropriate a lot of functionality here what you need to remember for the exam is this is effectively a centralized back-end data store used for a variety of services across infrastructure applications and security and as we wrap things up do remember to take a look at the free practice questions the quiz is linked in the video description if you can pass my practice quiz you will Ace the real exam and congratulations you've reached the end of the a900 exam gr I hope you're getting value out of sessions like this if you have any questions as you're coming up to game day definitely reach out here in the comments or directly on LinkedIn good luck on your exam and until next time take care and stay safe

Info

Channel: Inside Cloud and Security

Views: 16,426

Rating: undefined out of 5

Keywords:

Id: 8n-kWJetQRk

Channel Id: undefined

Length: 150min 52sec (9052 seconds)

Published: Thu Jan 11 2024