hey everyone so in this video I actually
wanted to walk through I guess a few hints and tips about AZ 900 the azure
fundamentals now I hadn't taken this exam until Tuesday and I'd not taking it
because I've done a lot of our exams I've done obviously like the architect
expert the DevOps expert the data the security the admin engineer
certifications and all of those but I never did the fundamentals the reason I
took it is really twofold a number of people actually emailed me asking
hey do you have anything to help with AZ 900 and I'm about to release my Azure
master class just on my youtube channel and I was curious about what level of
detail you need for AZ 900 so I figured I'd take the exam and kind of find out
having a bit of fun as well I was gonna try and speed take it. I had a bet with
some colleagues I could finish in under 15 minutes I actually finished in 10
minutes 30 in the end and I did pass and I got 940 which means I'd got two
questions wrong so you get 60 minutes and my test was 31 questions it says
about 30 points a question and what I want to really walk through in this is
just I think some key points that may help now I wanna stress this is not
all-encompassing again I took the test I didn't look at the syllabus I didn't
study I still haven't so this is really just
based on what I saw I think the key constructs you need to
know if you look at kind of Thomas Maurer and Tim Warner they both have
phenomenal sets I see them constantly posting about AZ 900 they're super
smart guys they're brilliant instructors can we look at their content so that's
the place to go for a real in-depth AZ 900 study this is gonna be maybe an hour
of maybe like a study cram for the really things that I I think you need to
know and that will help but definitely go and look at those guys material that
the top quality stuff so again 31 questions 60 minutes it says is 90
minute exam that includes kind of the checking and survey stuff it's actually
a 60 minute and I took it at home all you need is a computer they want one
monitor attached you just need a camera and microphone and speakers doesn't need
a headset what you do is you have to use your camera to take a picture of your driving
license you and then kind of the four views around your workspace to make sure
you're not cheating so again you can't have a multi-monitor setup one display
and so when we think about what do we need to know I think you need to start
off with governance at a fairly high level so when I think about governance
the first part that is obviously an identity now we probably have an idea
that on premises we have kind of Active Directory that's that Kerberos
NTLM we have users groups machines joined to that I can do group policy now
in the cloud we have this Azure AD thing and Azure AD is great for things like
OAuth, Open ID Connect SAML WS-fed it has built in Federation's to thousands
of SaaS apps so if I'm going to get started in the cloud I have to have an
azure active directory now by default you'll get kind of an on Microsoft
name you can add a custom domain name so you could match kind of the domain name
you use on prem, savilltech.net for example now I can create cloud
accounts I can create users directly in Azure ad but didn't have an Active
Directory great you'd probably do that I need to populate it with accounts if I
have an existing ad though I don't want to recreate separate accounts I want to
be able to synchronize my accounts up if you're going to use a component called
Azure AD connect an azure ad Connect is going to replicate your user and group
objects up into Azure AD so the users get a consistent experience I can also
optionally send up a hash of the password hash it's not the original
hashed or delayed it's a hash of the hash of thousand iterations etc so if
you can traverse it it's sorted so now I have actually the same hash in there
that would enable me to authenticate directly against Azure AD and authenticate
in Azure AD if I don't want to send up the password hashes or if I do but still want to authenticate against my own Prem then I can still do either something
called pass-through authentication that's where now there is kind of a service
bus queue where an authentication request goes to wait and there are agents
you deploy on Prem that listen to that queue do the authentication send up a
yes no the other option is I could absolutely just do regular federation
so now I authenticate here actually bounce authenticate here and I get a
kind of SAML token back for all of these as the user I can still get a
seamless authentication experience ie I'm not getting prompted to authenticate
for things that trust Azure AD for Federation you just get single sign-on
for pass-through authentication and if I'm using the password hash we have seamless
sign-on the experience is the same if I'm on a machine that has line-of-sight
to a domain controller and I'm authenticated against ad I'm good to go so
understand I need Azure AD if I'm getting started I need to populate it
with accounts the best option if I have an AD is I want to replicate them using
Azure AD Connect so that's kind of part one I have to get the identity right
once I have the identity in Azure ad again I mentioned there's a whole bunch
of kind of built in, existing Federation's to other SaaS apps, software as a
service and I can utilize those and one of the things I can do up here is something
called conditional access so conditional access lets me say hey for conditions
there could be a particular app, a particular group of users and particular locations
particular risk level so I can determine the users risk using Azure ad identity
protection that's an azure ad p2 feature I have these conditions and then I can
require a certain thing so for example I might say I require MFA so again we can
do MFA up here I could require my device to be a known device
hybrid joined it could have to be healthy according to Intune so I can do a lot
of things in the Azure AD but conditional access is huge
it helps me control, again conditional access is a p1 or above feature MFA is
now available across all of the SKUs even the free ones as part of security
defaults but if I want to use MFA as part conditional access then it's that
p1 Azure AD feature so I need to get my identity in place conditional access can
be used to kind of control things okay I have all the users in Azure ad there is something called administrative units so I can use these administrative units to
kind of break up users into these units and then delegate particular users be
managed by different groups of people if you know Active Directory you have kind
of organizational units this would be a kind of equivalent I can delegate
certain people to manage certain users within azure ad so there's an admin, this
is a fairly new feature so probably won't come in the exam, don't know, but
just be aware that that kind of functionality is coming so this is all
about identity now then we start to think about well what about my Azure
resources so we organized our Azure subscriptions that's what we create
stuff and in an enterprise I'm probably gonna use management groups so we have
kind of this root management group that by default lives under our Azure ad
tenant and I can then create a hierarchy of management groups and the things we
can do with management groups are I can apply a management group level role
based access control this is where I have roles and a role is really a
grouping of actions I can perform against certain Azure resources and then
I grant those roles to groups or users so for example I could say you're a virtual
machine contributor I can create VMs I can manage them.
There are also things like owner contributor, reader they're more generic.
Owner means I can do anything and I can change the permissions contributor means
I can do anything but I can't change the permissions
Reader means hey you can probably work that one out for yourself so with RBAC I
have roles I assign them that role to users at a certain scope and I say users,
ideally its groups at a certain scope in this case my scope is a management group
level and it will get inherited down so within these management groups wherever
that hierarchy stops at some point I'm going to create a subscription and once
again I can apply RBAC there any RBAC I set at that management group will
get inherited down and I can also explicitly set RBAC at a
subscription now additionally in addition to RBAC I can also set
policy once again this will get inherited down policy is super powerful
if you think about in the old days on premises and I want a resource I make a
request to the admin say hey I need this resource the admin would look at my
request and they say well you can't do that public IP that's a security risk
you can't create the things over there in the cloud especially things like
DevOps I can't have some human being checking
things as part of my process so we need guard rails and the guard rails define
what we can do what meets our compliance requirements and enforces them so that's
what Azure policy does so as your policy could say hey you can use these regions
and you can use this type of storage account ie it must be GRS it must replicate to
another region you can't use the m-series it's too expensive for dev and
I might have our dev and prod structures in there and again they get inherited
down so that's super powerful in terms of controlling what someone could do so
if I was like hey you need to stop someone deploying to a certain region I
would use policy to do that hey I need to give someone the ability to manage VMs
well that would be role based access control and then I can also do budget.
Budget enables me to specify kind of a dollar value there's metrics as well to
say you can spend this much and I can configure alerts at certain threshold
percentages so hey at 70% call this action group so an action group is
usually used for azure monitor and it's a response to an alert. An alert could be a
metric it could be a type of log but essentially an action group defines a
list of actions send an email send an SMS message send the azure app on your
phone call a web hook call an ITSM so I can do those so it's 70% of my budget
send an email at 80% send a more aggressive email at 90% send
a threatening guard whatever you want to do so I can set these three things at
my management group and they will get inherited down I can also set
those three things and a subscription level now can we talk about
subscriptions and I know this from the questions I got wrong there are
different types of ways I can get a subscription now there were ones that
I'm going to get as part of an Enterprise Agreement where there's account owners I
can just do pay-as-you-go there is a free subscription I had no clue what free
subscription limits were or anything else make sure you know those
things but that's a super useful thing if I have MSDN, Visual Studio I
get certain amount of credits so understand there's different ways to get
subscription and there might be different limits and capabilities on
those so have an understanding of what they are so in the subscription I can
apply those things as well within a subscription we create resource groups
and I think of a resource group as bringing together things that share a
common lifecycle they're going to get created together they run together they
are going to get decommissioned together it's all the components that make that
service work so if I had an application and it had sort of some web front-ends it had a database it had a load balancer I probably put all
of those things in a resource group together
and once again I can apply RBAC policy and budget at that level you can
kind of see and I have lots of resource groups but a resource ie virtual
machine a storage account a SQL database lives in one and only one
resource group I cannot nest resource groups it's
flat so in here I might have a VM I might have kind of a storage account and
might have some kind of load balancer whatever that might be I have all the
bits that make that application work lots of VMs behind the load balancer
now I can do things like RBAC directly to a resource we don't the
lowest level we ever go for RBAC is at a resource group there are certain
types of automation that may go and apply permissions directly to resources
we do not play in that world that's something something else does
entirely now when I have these resources when I have these resource groups when I
have these subscriptions these management groups there's a very useful
type of metadata that I can apply and it's called tags a tag is just a key
value pair it's all it is and I can assign these to a resource group a
resource a subscription a management group they're there to help me manage things a
common tag might be a cost center or Department it might be an app it could
be an owner the things that are useful to me I can use these to search for
things to organize I can use them for billing API so when I think about cost
I can run billing reports how much did this subscription cost me how much did
this resource group cost me how much did everything under this management group
cost me how much did everything tagged with cost Center X cost me
so again if I'm trying to maybe see something about hey I want to be able to track
costs on something how would I do this what would I use well if I created a tag
for my cost center or project I'd be able to see that in the billing reports
so tagging is super powerful but it's just key value I can really put whatever
I want in now so that there's some kind of the key construct things now how do
we interact how do I actually go and use Azure so when I think about okay we've
got the azure cloud and I want to interact and do stuff the obvious one is
kind of a portal there is portal.azure.com I can go to that there's a whole different
list of kind of browsers you can use with that the key point here is you can
go and look these up but it's like obviously edge and Chrome and Firefox
and Safari which means hey if it's Windows Linux Mac OS it's gonna be able
to use that then you'll hear about kind of the azure CLI again there's versions
of that for all of those things then you want to hear about or PowerShell and
there's an AZ module well the AZ module runs on PowerShell
the core PowerShell core is cross-platform Windows the things Mac OS
as is the AZ module so essentially there's three core ways we think about
interacting and of course there's a REST API as well which would work from
anything that can do to a restful call I can use a cross-platform
Windows Mac OS it's just gonna work across those so if I think about how do
I interact any of those kind of major platforms is gonna work now when I
actually think about creating something yes I can create things through any of
those behind the scenes Azure is actually JSON if you go and look at like
resources.azure.com if you create things in the portal there's normally
like an export and even if you've created already there's an export kind
of button it will show you the JSON this is called an azure resource manager
template and it's a declarative technology and I've
got another video that talks about imperative vs. declarative essentially
declarative means this is what I want the end state to be I'm not telling you
how to do it this is what I want it to look like go
and make it happen excuse me thirsty so behind the scenes it's all JSON and so
if I want to create things in a vey consistent manner if I want to make sure
I'm deploying it exactly the same way across environments the best way to
actually provision things is an arm template and I can call those from any
of those things but I create an arm template which is JSON that defines all
of my resources variables and I apply that to Azure and it will make it so hey
create this storage account or I want this storage account of this config I want
these virtual machines I want this scale set I want those things just do it so
when I think about creating things the best option is to use an arm
template again I can see arm from like the portal I can go look at existing
resources I can go and look at resources .azure.com but if I see anything about
hey you need to create things you need to make sure it's consistent across
multiple environments can I use an arm template if I use an arm template that's
the answer now there are other technologies out there things like
terraform is cross-platform so that would let me do this same declarative
deployment across Azure and AWS and Google cloud and VMware and Kubernetes
this kind of goes on there is providers for everything and I doubt there'll be
things about that but realize that's another declarative technology and that
I could absolutely use so that's when we think about actually provisioning things
and make sure you understand there are limits
so just regular add your subscriptions and there were limits obviously this
free account they are limits so just kind of understand those things are out
there and exist I made some notes
so I'm just checking I don't forget stuff so when I think about now creating
stuff remember Azure is this cloud but really
there's no such thing as the cloud as such if you think about it Azure is
made up of lots of what we call regions so we can have kind of a region one
there's another region and they were tons of regions in the United States and
Europe and Asia Australia you name it there's kind of regions there now most
of their part the commercial cloud which means we can all use them there are some
sovereign clouds sovereign cloud would be for example Germany has a sovereign
cloud China has a sovereign cloud US government has a sovereign cloud so you
have to be part of those countries or organizations to use that but
essentially we have regions and these are all connected to this kind of
massive Microsoft backbone network that's one of the biggest in the world
it spans the world they had submarines dropping cables under the Atlantic so
it's massive super performant network and when I deploy things I deploy to a
region I want to deploy to south central us to East us East us 2 West us Europe
whatever that might be so I can think about I deploy to a region but a region
is actually made up typically of more than one data center so I might think well
yeah there's like a data center there there's another data center and you see
say there's three data centers picking a number that almost completely at random
these are actually exposed to a number of regions today and you'll see them
called availability zones moving your subscription for each region you'll
typically see AZ one two and three these are not physical there's not
actually a building with one written on it my AZ one in my subscription might be
someone else's AZ 3 in their subscription but they are consistent and
any individual subscription and the point of the availability zones is they
have independent kind of communications and cooling and power and water so when
I think about resiliency I would typically deploy my resource across
different availability zones now they have something called a
standard load balancer to distribute the traffic among those so what an
availability zone is given me is resiliency at a data center level so if a
data center failure needs to be survived I need to use availability zones so that
will give me resiliency the blast radius from availability zone is a physical
kind of building so if I want to be resilient against a data center level
failure I need to deploy to availability zones there is another construct to
resiliency and this kind of lives within a particular building even smaller in
our pen now if you think about it it just wraps and racks of servers called
stamps these are all deployed so the other construct I can actually use is
something called an availability set so an availability set is essentially three
fault domains because they are fault domain zero one two and what happens is the
resources I deploy will get distributed over those three fault domains or racks
so an availability set would give me protection the blast radius would be a
rack level failure top of rack switch power supply units an individual server but it
would not protect me from a data center level failure so datacenter goes down my
availability set is in the same data center so availability set protects me
from a rack server level failure availability zone protects me from a
data center level failure via sort of distributing across them of course if I
want to survive a region level disaster that I have to deploy to multiple
regions so if I if I want to survive an entire region being unavailable I need
to deploy to multiple regions then I have to balance my traffic
between them say my traffic manager just dns-based or I could use Azurer front
door if it was HTTP HTTPS so that's how I could do that it's like 7:00 a.m. I just
worked out for three hours some pretty thirsty so they're kind of some key
constructs I think about during deployment okay so let's actually think
about what do I actually do within these things so the first construct often we
need is a network and I can actually think about so if we zoom out for a
second pick a pen, a virtual network I can think about what I have my
subscription so I have a subscription within a subscription I can use many
many regions so I pick a particular region and then within that region and
that subscription I create a virtual network the virtual network is just one
or more CIDR ranges and a side of ranges that notation where you see kind
of the network so it might be ten dot one dot 0 dot 0 slash the number of bits
that define the size of that network so we're like a slash 16 so we have equivalent
number 255 255 0 0 subnet mask so we write those inside a format normally
it's the RFC 1918 the 10 dot the 172 dot 16 192 168 things but you can use our
ranges if you want if you own them if you're bringing them you can use that as
well so I create a virtual network so again it can't span regions it can't
span subscriptions if I'm using multiple regions I would at minimum have a
virtual network per region and then I break that up into virtual subnets and
that subnet would be a portion of the overall IP space of the virtual network
so I'm creating that virtual network so this is where I can then create stuff
so I create virtual machines virtual machines scale sets kubernetes hosts many
things can actually go and interact with that network now if I have a virtual
networks I might have another vnet in the same region it could be just
different group maybe prod dev whatever maybe it's in a different
subscription maybe it's in a different region I can connect vnets together so
I might have another vnet in another region over here using peering so peering just
uses the azure backbone to basically connect them together the IP space
cannot overlap has to be unique IP space it is not transitive
so note it is this vnet here is connected to this vnet this vnet is connected to
that vnet they cannot talk I would have to add a vnet connection between
those as well so key point peering lets me connect vnets the IP space cannot
overlap it is not transitive now I could deploy a virtual network appliance I
could apply azure firewall to perform routing I could use something called user-defined
routes to specify next hop and make it transitive
but natively it is not transitive it will not do that
so that's cool got this vnet thing and now you've got your on-prem network so
this is your kind of on-premises Network I want to be able to use that
now absolutely I could give things a public IP address and there will be
times you want to do that I might have something I want to offer a web
service to the Internet now yes I have a VM or virtual machines scale set
or I'll get into these in a second they have to go to private IP these are IP
addresses dynamically allocated from the IP space of the virtual subnet they are
placed on I can add a public IP I could give this VM a public IP here as
well that's generally very poor form you don't want to do that if I want to
make something available I would use a load balancer so I have some kind of load
balancer then I have multiple back-end members to answer that
traffic it would also then give me resiliency give me scale and then I'd give
that a public IP that will be a public load balancer but if I'm on Prem I
probably don't want to go via some public endpoint I want a private
connectivity I want to think about making Azure an extension of my network
so there are a number of ways we can do that and the first is if i was just an individual
machine I was just a machine sitting out here and I just want my machine to
be able to connect I can do a point to site point to site VPN so I have to have
a gateway in Azure that I connect to so the first point is I have to have a
gateway subnet so you dedicate it to the azure gateway and the recommendation is
a slash 27 it can be as small as a slash 29 but we like such 27 it gives us
future flexibility maybe I want an Express route gateway and a site-to-site
and point to site gateway so deploy gateway and then I could kind of connect in
I would then get an IP address from the gateway and I'd be able to talk to the
resources on that vnet or connected to that vnet via peering or whatever just
IP routing but when I connect my entire network you really have two
choices one is I can do a site-to-site VPN this is gonna use IPSec and again I
have to have that gateway subnet the gateway subnet and I have to deploy
the VPN gateway into my network so I need a subnet to deploy the Gateway the
gateways is a managed component by Azure and I say hey I want a VPN gateway into
that gateway subnet so the two things I have to have and now I can establish
that VPN connection so now anything sitting on this network can go and talk
anything on this can go and talk to this up now essentially connected the
networks together so this is encrypted again
it's IPSec but it is going over the public Internet
so this is just going over the Internet latency I'd don't know, its going over the public
Internet it's gonna vary it's not consistent and
all I can do over this mainly is stuff that sits within that virtual network I
say mainly I'm gonna talk about something else in a second that muddies it slightly
but that's the point it's a site-to-site VPN connection over
the internet now my other option is remember I drew this kind of
line and I said hey there's this Microsoft Network and then I have the
regions well you can kind of think about that Microsoft Network and again once
again I've got kind of a vnet sitting in here and then I've got my network so
Microsoft have a number of edge locations so these are a network edge places this is
where Microsoft extends its network to connect to other carriers so we can
write Internet offload but also so we can do dedicated private connectivity
this is Expressroute so what I can do as a company is I can work with an Express
route provider and they will either give me kind of a dedicated connection into a
Meet Me location or maybe if I've got MPLS can become a node off of my MPLS essentially
now I've connected my network to the Microsoft backbone so thats Express
route so with Expressroute it's a dedicated connection and it's private so
it's dedicated it's not going over the Internet I pick the circuit speed I want
latency is gonna be consistent this is a private connection not bouncing over
random hops and random places in the middle now when I establish this
connection all I've done is connect my network to the azure or the Microsoft
backbone network the next thing I have to do is a peering. a peering lets me
actually use the resources so if I'm ready to get to stuff on a vnet then
that's going to be private peering so private peering basically says hey I want to connect to that IP space that's a private peering and I can
peer to multiple vnets and and it would all go via this meet me location so
that's private peering but remember there's also other stuff there's also
things like storage accounts and SQL and lots of other great services in Azure
well if I want those which is normally public facing internet facing to be
available via my Express route then I turn on comething called Microsoft peering
and with Microsoft peering these routes that are normally advertised to the
Internet now get advertised
via there as well and there's a route filter I can use to be more specific and
it's really more detail than you need I think the key point will be private
peering I'm using Express route to connect to a certain vnet microsoft peering is used to connect to PaaS services so Azure SQL database cosmos
DB open databases storage account things that don't live within a vnet
now I said there is this is kind of murky middle ground and there is something called
private link I'm not gonna go into a lot of detail essentially private link lets
me take a resource and it actually now has a private endpoint within my vnet
it has an IP address that represents the service so technically now I could be
getting to that vnet and still access that PaaS service via private peering or
via a site to site VPN because that service is now kind of got its
manifestation as a private endpoint again that's probably more detail I would
focus on hey I want to get to Azure I can do a point to site VPN connects my
machine I have a gateway which is managed by Azure it's a redundant set in
a gateway subnet if I want to connect to an entire network I can use a site site VPN which
is an encrypted IPSec connection over the Internet or I can use Express route
which is a dedicated connection is not encrypted because it doesn't need to be
because it's private and then I could do private peering to connect to a vnet
based resource Microsoft peering to advertise a subset of resources in
selected regions via route filters and over my connection so they're kind of
the the key things I think about connecting and the networks together we
talked about the network peering again one of the other cool things you could
do is if you imagine I had kind of a hub Network and then I had a number of
spoke virtual networks they're all connecting to this one as I mentioned I
could apply something like Azure firewall to enable those talk to each other but also if I
did have kind of that on Prem network and I established some kind of
connectivity one of the things I can actually do is to say hey use remote
gateway and allow Gateway transit so now these could actually use the
connectivity of the hub to go through so that's kind of a nice and that would
work site to site VPN or Express route just kind of something nice I can do in there
when I do have my virtual network obviously security often comes up so if
I think about my vnet and then I have a certain subnet for example the way we
can actually control the flow of traffic is actually sent called NSGs network
security groups so network security groups let me say hey I'm gonna allow
certain flows and that could be based on IP address theres something called service tags
so I can name particular Azure services so I could let it talk to as a storage I
could let it talk to add a SQL database so I can use NSG's to control
so if I went here for example let 443 in from the internet for example I would
have to create a rule on the network security group on my subnet to say hey
allow 443 from the Internet to this particular VM so NSGs I think
about locking down a subject I apply them at the subnet and
they're enforced at the NIC but we very rarely will apply it to a network card
you can do that as well Generally we create these rules we apply
it at the subnet now another alternative to NSGs would be something
like Azure firewall so Azure firewall it's kind of this edge device that I
would make up the traffic flow and again if I was using Azure firewall then I
would modify Azurefirewall to allow that type of traffic to actually come through
so that that's another option for controlling those things I only talked
about load balancer if I have a scenario where I have kind of lots of resources
offering the service we use an azure load balancer which is a layer 4
construct so it's operating at kinda so it's layer 4 which means it's kind of
UDP TCP if I was using a web service like HTTP HTTPS then I can instead use
App Gateway App Gateway as a layer 7 so it understands HTTP then I can do little
cookie based affinity and path rewriting SSL offload things like that
so that helps me again balance traffic queues health probes to check is it
really there so those types of things that's pretty as much networking I think
a super high level from a storage perspective the simplest thing generally
is a storage account so we have kind of a you create a storage account and the
storage account lives again within a certain region I typically want the
storage account to be in the same region as the compute that's going to use it
one of the big configurations we have is the resiliency type so there's always
three copies of the data there's never less than three copies of my data if
it's all within one kind of storage stamp that's called an LRS locally
redundant storage locally resilient store one of those things if I have
availability zones I can actually spread those three copies over the three AZs
in the region that would be ZRS so now spread them over
AZs so that all lived within a certain region now they actually pair
regions they're hundreds of miles apart so a region is actually typically
defined as a two millisecond latency envelope so a region is not necessarily
hey there is one building the buildings might be spread out they're generally
fairly close together Microsoft buys big stamps of land and
they put multiple data centers in it but it could be more distributed as long as
it lives within that two millisecond legacy envelope obviously we have lots
and lots of regions so I have another region over here Microsoft create
pairings of regions for certain purposes those paired regions are generally
hundreds of miles apart so they'd survive any kind of natural disaster it
shouldn't affect both if you did affect both we probably don't care anymore
anyway so we pair those hundreds miles apart they're in the same
geopolitical boundary and the exception is Brazil that actually pairs with South
Central us because there's only one region in Brazil but everywhere else
these these are paired in the same geopolitical boundary so there's not
data sovereignty challenges so the point is with these
pairs I can turn on something called GRS so with GRS now it replicates the data
asynchronously and there's three copies over here as well there's also for
certain services I can do a read access variant so I can read but not write to
it over in a storage account I can do kind of blob which is generally great
for any kind of file I can do files which gives me SMB access I can do
tables which are kind of key value column storage and I can do queue so hey
I want to put something on and I take something off so those are all just
natively available with a storage account behind the scenes when we create
virtual machines and I create a managed disk it's using a page blob to actually
store that it just abstracts it away for me so on a storage side if I want
resiliency from a regional outage for example my storage
I would pick GRS or ZGRS which uses ZRS locally and then replicates it over
one of the cool things you can now do is you can pick the failover I can initiate
the fail over if I deem I need to fail over and it will actually show me hey
this was the last sync time you would lose X minutes of data because it is
asynchronous there potentially could be some data loss probably would be some data
loss okay so that's networks that's very basic
storage the last thing I want to touch on is the services you're gonna actually
create and I'm kind of old-school on this I'm just gonna get my notes for a
second just to make sure I don't forget a certain type of service I want to
cover all right so if I think I think layers and I often think about well
there's compute there's Network theres storage and there's a hypervisor could
be hyper-v VMware compute my servers network my switchs my cabling storage
storage area networks whatever that might be
then I have my kind of operating system then I might have various runtimes and
middlewares then I have kind of my app and my data
and the reason this is important is when we start looking at the cloud the
responsibilities shift so on-premises so just on prem this is all me it's my
responsibility I have to worry about the physical machines I have to worry about
hypervisors that's all my job then when I move to the cloud the first one we see
is infrastructure as a service and the line is there so now the shift is
this part is me the hypervisor the physical storage the physical network
the physical computer in this case Azure job it's Microsoft's job to make sure
that stuff so when I move from the cloud I'm no longer responsible for those
things I care that it's working I care about SLA's it's not my job when I go
to is and this is really the lowest level I do in the cloud I'm
responsible for the OS and above so I'm patching the OS I worry about firewalls
and configuration and anti-malware and runtime versions and my app there are
things to help me as a backup can help back it up there are extensions to help
configuration there's many things to help me do the job anti-malware etc but
it's my responsibility to make sure I turn those things on next layer up we
think about platform-as-a-service PaaS so here all I care about is the app and
the data that's it I'm not worrying about operating system or runtime or
middleware not my job and then finally there's kind
of SaaS software as a service that office 365 really nothing there is me the only
thing I tend to do in SaaS is I might do configuration I'm not deploying
SharePoint or Exchange or anything else but I have to configure those things so
in a SaaS world I might do configuration but I'm not doing deployment in a PaaS
world well I'm gonna use tools probably DevOps to deploy my app I have to make
sure to worry about my data resiliency that's on me I'm not worried about
any of the underlying stuff that runs it the operating systems in the IaaS world
hey I do care about everything down to the OS but I never care about any
physical element that's completely outside of what I do it's nothing I'm
gonna use so that's important to I kind of understand the cloud is consumption I
pay for what I use I pay for when the VM is running so if I shut down the VM i.e.
de-provision it I stop paying for the VM doesnt mean it becomes free so again we
think in an IaaS world often we think of kind of VMs as first
that's the lowest level well even at VM if we think about it so I've got my
virtual machine what needs storage this is an OS disk so just because I shut
down the computer and I stopped paying for the compute charge I'm still paying
for the disk and might have data disks so I'm still paying for those and
there's like Network cars there might be IP config because important to realize
so it's consumption I'd pay for the storage I pay for the compute I pay for
network egress I don't pay for ingress to Azure I never pay for data into Azure I
pay for data leaving the region and when I peer networks is a small
ingress/egress charge for peering but that's kind of a fundamental point when
I move to Azure what I pay for is consumption charges and realize there
are different resources that make up an overall service like a VM so yes I shut
down the VM I stopped paying for the VM but unless I delete it and it's this and
still paying for the storage stuff so have different types of service we can
use so it's kind of think about those services so obviously we have a virtual
machine it has very familiar I create a VM there's different SKUs there were
ones more storage optimized computer optimized memory optimized ones with
nvidia cuda cars for GPU huge range of them i pick different sizes i can change
these things but it requires me to essentially shut it down and restart it
as a restart to change the size so i have properties of the virtual machine
and we have virtual machine scale sets this is still IaaS virtual machine scale
set is really the idea that many types of service we have multiple instances
really they're just tin soldiers stand them up with one falls down we just had
another one up in its place we don't really care about it it's state so
virtual machines scale set essentially I have kind of this gold image and then I
specify properties like the minimum number I want the maximum number I
want when I perform a scale it will take care of deploying the
virtual machines it would take care of deleting and creating them again I want
to scale horizontally to really optimize my costs so I think about virtual
machines scale set it will look at what's the resource use what's our
schedule I've defined hey I need three now now I need seven now I need two now
I need five it will dynamically delete and create them based on what I need at
that moment in time so I'm only paying that consumption of what I actually need
at that moment which is huge other cool things are like this image this gold
image can come from the image repository it could be the Microsoft images it
could be custom ones I create if I put in a new version of the image it will
automatically on a rolling update replace all of the deployments in the
scale set I'm not even patching anymore it will
just go and deploy that stuff so these are all still kind of IaaS, VM scale sets
are starting to push over but fundamentally they're they're virtual
machines just some things to help me now then I start moving into things like
containers so remember a container is where we virtualized the operating
system virtual machines we virtualize the hardware we have a virtual machine
which has a certain amount of virtual CPU and memory and storage with a
container remember we have kind of the host and it is essentially got the
kernel which is shared and then it creates these container instances that
have isolated kind of namespaces and IP stacks resource controls but they're
running on a shared OS a shared kernel so we're virtualizing the operating
system so in Azure we can do containers there are services like Azure container
instances just really containers as a service and what we would have is we
have some kind of repository where we have our images so like the Azure container
registry the ACR and then image is just layers that would be like a base OS layer
then maybe there's some config then there's an app and I just
deploy that image to a container but there's a lot of
requirements for containers are they healthy are they distributed someone has
to create them someone has to the scale the worker nodes there's a whole
orchestration layer I need for containers so that would be kind of
kubinetes and in Azure there's a manage to offering called aks and the
great thing about aks is you don't pay for the management components I'm not
paying for the etcd database and not paying for the scheduler the API the
brain don't pay for any of that I just pay for my worker nodes that actually I
run the container the pods that run the containers another really cool thing I
can do is yes I have my own kind of workers and it does that via a kubelet
which is like an agent that helps manage stuff it can actually also hook into ACI via a virtual kubelet so it can actually burst and use ACI if it needs
to that's kind of some cool stuff so now we get into the kind of the PaaS these
are all PaaS platform as-a-service then we have app services and you hear
about app service plans these like web mobile and api i create an app service
plan again behind the scenes i pick a certain scale it auto scales depending
on the actual the SKU i purchase like I pick different sizes can its consumption
based I pay for what I'm going to use there's also so called an app service
environment an ace and ace is dedicated to you and that there's no multi-tenant
parts and it runs in your vnet so if you ever saw something like hey you need to
use app services but it must run inside your virtual network one app service
environment will give you that but it cost more because now there's no shared
components which the app service plans have so there's more bits but it scales
higher and it's all running inside my vnet and
this is kind of like the initial Azure PaaS that's kind of the ultimate
personification of PaaS then you'll see things like logic apps and Azure
functions now these are pairs but they also kind of come into this thing you're
here called serverless and the reason it's serverless is even app services as
part of the creation I specify how many instances of kind of the workers do I
want what size are they so still servers dedicated to me I'm still paying for
boxes and yes they scale but I'm paying for the whole box with logic apps and
functions functions can run on an app service plan or they can run in a serverless a consumption model I pay for the CPU I consume and the storage I do logic
apps I pay for the connections that I'm
leveraging and the work it's doing so these are serverless offering so if I see
hey you need a serverless solution well that would be Azure functions or logic
apps logic apps is really like a flow I use these different integrations via
connectors and I can have say hey a connector is a a tweet then I go and
call some Azure cognitive service to get sentiment then I go and write out to
something else so I create this flow using connectors so that would be a
logic app so it's all done kind of visually and as your function it can run
c-sharp there's a whole bunch of language powershell is what I use it a
lot before I bind to inputs and outputs I have triggers trigger could be hey
someone calls me via a web hook someone via event grid writing to a
storage account a schedule and it's just gonna run code so they're kind of the
core things to understand those the VMs it's a virtual machine VM scale
sets it's based on templates and it auto scales for me containers
AKS is the kind of orchestration app service plans hey I wanna run a web
website now I could run website in containers and then the serverless
solutions so I guess based on what I saw in the AZ
900 there's some of the things I would really make sure you know again this was
not exhaustive at all again I still not looked at the sylabus zero real clue
what's in it but based on what I saw I think this would definitely help if you
understand these things but again go and look at like Thomas Maurer and Tim Warner
they've got a ton of detailed stuff I see them posting all the time they're
super smart guys and they're probably be a great place to go but hopefully this
might give you a few things to help you pass so you can take it it good luck
relax don't worry about this was helpful please like comment subscribe and until
next time take care of yourself
I feel like I should ask for his workout also. He brought guns to the test!
Just watched this and sitting the exam tomorrow so great timing! Thank you very much for your videos
Best AZ-900 prep content out there!
Do I need this exam before taking AZ-104?
31 questions on an exam that is supposed to be 40-60 questions?
Sounds like the exam is CAT based.