Learn Azure Fundamentals - Microsoft AZ-900 Full 4 hour course (ITCT)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi and welcome to this video course on exam az 900 azure fundamentals my name is jim cheshire and i'll be your guide as we explore the topics you'll need to know in order to pass the azure fundamentals exam for the past 21 years i've worked at microsoft in various roles and in my current role i'm heavily involved in technical readiness across our entire azure business i've also written more than a dozen books over the past 20 years or so including my most recent book the microsoft azure fundamentals exam ref for the az 900 exam if you're interested in learning more about azure and taking your azure fundamentals exam this video will be a great tool to help you prepare we'll cover all of the topic areas of the az 900 exam and you'll learn a lot about azure and the cloud in module 1 we'll start off with some high-level cloud concepts and an overview of the different cloud models you'll gain a strong understanding of the cloud pyramid and you'll find out about the private cloud the public cloud and hybrid cloud scenarios then in module two we'll talk about some azure architecture and how azure works under the hood you'll also learn about some of the primary azure products and what they're used for to put things in context you'll learn about azure solutions related to big data machine learning serverless computing and more we'll wrap up with a discussion of managing azure resources in module 3 we'll look at security privacy compliance and trust we'll talk about some of the security solutions available in azure and how they're used we'll also cover how azure can help you comply with regulations that might apply in your industry or in your geographical region and we'll cover the tools that azure provides to help secure resources and add compliance to your cloud applications in module 4 we'll talk about azure pricing and azure support offerings you'll learn about forecasting and controlling cost and you'll learn all about azure support from microsoft we'll also talk about service level agreements and the life cycle of azure services my goal for you is to come away with a solid understanding of the core concepts that will help you as you head into the azure fundamentals exam along the way i hope you'll have some fun learning all about microsoft's cloud offerings so let's get started welcome to module one understand cloud concepts in this module you'll get an introduction into cloud services we'll talk about some of the economic concerns in the cloud and how to approach adopting the cloud for all your applications we'll look at the different cloud service types and we'll talk about scenarios where each of those types makes sense finally we'll talk about public clouds private clouds and hybrid clouds and why you might use each one in the real world deciding to move to the cloud can be a little bit intimidating figuring out where to even start can get pretty complicated fast welcome to lesson one understand the benefits and considerations of cloud services in this lesson we take away some of the confusion about the cloud you learn about high availability and cloud concepts like scalability elasticity and agility you learn how azure can help protect your applications from going down when there's a power failure or worse if a natural disaster strikes we finished the lesson by explaining the economic benefits of moving to the cloud so let's dig right in in just about every conversation about computing systems someone's going to bring up the term high availability but what exactly does the term high availability mean well to understand high availability we first have to define availability itself when we say that an application is available we simply mean that the application and the systems that it uses are accessible by users that's it it's pretty simple stuff availability is measured as a percentage of availability over a specific period of time but there really isn't an explicit definition of what constitutes high availability in a general sense high availability means that an application and its systems are accessible most of the time usually in the high 90 percentile over any given period so what exactly are the things that can impact availability well it's a pretty long list actually but some of the more common causes for availability issues are a network outage an application failure caused by code defects or maybe configuration issues with the application a system outage like maybe an outage of a virtual machine that's hosting an application a power outage obviously can cause availability problems and a problem with one or more reliant systems such as a database that an application uses cloud providers provide a service level agreement or an sla for cloud services and an sla specifies the availability percentage of a service and the cloud provider guarantees that that service will meet that sla if it doesn't meet that sla for a reason that is within the control of the cloud provider customers are usually entitled to some level of refund for that service now we'll talk more about slas in lesson 17 but for now let's move on to some other cloud concepts specifically scaling and elasticity the cloud can save you a lot of money versus buying all of your own infrastructure but even so computing resources aren't free and you pay for what you use that's why you want to make sure that your cloud applications are using only the resources that they need well that's easy enough to say i guess but resource needs can change quickly and often so your application might be running on one virtual machine without any problems but imagine what would happen if your application appeared on the evening news and the number of users that hit your application skyrockets what do you do then well the cloud offers the ability to scale your application so that it can handle those additional resource needs now if you just need to handle more users like in our news broadcast scenario i just talked about you might just need to add additional virtual machines to run that application something that the cloud makes really easy this process of adding additional resources is known as scaling out or horizontal scaling so for example your one virtual machine that was running your application is scaled out to multiple virtual machines running the same application now in some cases you may need additional power so for example you might find that the virtual machine running your application is maxing out the cpu or maybe using too much memory and you want to scale to a more powerful machine that kind of scaling is referred to as scaling up or vertical scaling and scaling up doesn't add resources instead it replaces your resources with a more powerful resource that has added capability this kind of easy scaling based on an application's metrics is called elasticity and it's one of the benefits of moving to the cloud it also provides the agility that you need for applications that might have different resource needs based upon usage and by the way scaling happens in both directions so you can scale out when you need more resources and scale back in when you need fewer resources and also you can scale up to a more powerful resource and then scale back down to a less powerful resources as your resource needs change so now that we've talked about scaling and how you can react to a changing environment when things are working the way that they should work what about when things go wrong microsoft carefully monitors the azure infrastructure to reduce any impact of small scale failures for example if your application is running on two virtual machines microsoft will ensure that those virtual machines are allocated within azure so that they are unlikely to be impacted by system failures if one of those vms fails or becomes unhealthy microsoft can easily move you to another healthy vm and this capability is known as fault tolerance but what about a larger impact what happens if there's a large natural disaster for example that impacts an entire azure data center in this kind of scenario you need to have a disaster recovery plan in place to ensure business continuity most cloud providers including azure have services that will enable you to develop and implement a bcdr plan that meets your specific needs up to this point we've talked about some of the operational benefits of moving to the cloud and don't worry you'll learn a lot more about that later on but let's switch gears a little bit and let's talk about some of the economic benefits and first let's talk about what's needed for on-premises applications let's talk about the contrast between on-premises and in the cloud this is the pre-cloud model of hosting applications so first of all you need physical computer hardware and that means not only spending money on the hardware in the beginning but also spending a ton of money to upgrade hardware from time to time and for any repair expenses to keep that hardware up and running you also have to spend money on network infrastructure think about it you need to run network cables you have to invest in network switches and other network appliances you have to spend money on firewalls and network troubleshooting equipment there's all kinds of money involved in network infrastructure you also have to spend money on storage areas for server racks and all of the other i.t equipment you're going to need and all of these expenses are considered capital expenses and there are a lot of them i mean we're talking about big money now let's look at the cloud model of hosting an application in the cloud model you rent computing resources from the cloud provider you don't have to buy expensive equipment some of which you won't even use to its fullest this shifts your expenses from capital expenses to operating expenses and that reduces your cost it gives you better economies of scale now the cloud provider purchases massive amounts of infrastructure at a reduced cost and then that reduced cost is passed on to you that's what we're talking about when we mention economies of scale in a cloud model you can adopt a consumption based model where you use only those resources you need when you need more resources you can scale out or up as needed like we saw earlier and when those resources are no longer needed you can scale back in or back down to reduce your costs clearly the cloud model provides a lot of economic benefit welcome to lesson two understand the differences between i as pass and sas in this lesson we talk about infrastructure as a service platform as a service and software as a service and you learn when each of these service types makes sense for your needs there are trade-offs and benefits of each service type and we cover those so that you can make the best choice for your specific needs let's talk about the different service types available in the cloud this is the cloud pyramid and it shows the three most common service types infrastructure as a service or is platform as a service or paths and software as a service or sas at the bottom of the cloud pyramid you have more control over your infrastructure but you also have a higher level of responsibility for that infrastructure at the top of the cloud pyramid you have very little to no control at all over the infrastructure but you benefit from not having responsibility for managing that infrastructure so let's start by looking at is at the bottom of the cloud pyramid in azure the primary is offering is azure virtual machines in this screenshot i'm creating an azure virtual machine in the azure portal and in this case i've chosen ubuntu server 18.04 as my operating system and when i complete the creation of this vm azure will provision a vm for me that's running the operating system that i selected however the configuration and maintenance of that operating system that's my responsibility if there are updates to the os i have to apply those myself and if someone in my company breaks that operating system in the application that's running on it that's also my responsibility i have to fix that myself now let's look at paths squarely in the middle of the cloud pyramid in paths the cloud provider assumes a lot of the responsibility for the infrastructure but the application and much of the configuration of that application is my responsibility so in azure a commonly used pass service is azure app service in this screenshot i'm creating a web app that runs an azure app service and i have the option of choosing either windows or linux as my operating system but i don't have the option of choosing what version of operating system i'm using in this case microsoft manages the infrastructure for me i don't have access to remote into that virtual machine and if that operating system needs to be updated microsoft does that for me on their own schedule however i still own my application that's running on the virtual machine and if my code or my configuration causes problems with availability of the application that's my responsibility and not microsoft's now let's have a look at sas at the top of the cloud pyramid in a sas service the cloud provider assumes the largest responsibility for the infrastructure but they also assume responsibility for the software that's running on that infrastructure sas services are usually accessed using a web browser and a commonly used sas service is office 365. in this screenshot i'm accessing my office 365 mailbox in a web browser i don't have any control over the infrastructure at all in this case in fact the infrastructure and the underlying application configuration is completely invisible to me and while microsoft does update office 365 from time to time i don't even know what's happening i just open a web browser i hit the application's url and it just works now that you understand the different service types let's look at a comparison of the three and some benefits and drawbacks of each let's start with is first the benefits with an is service you use the infrastructure only when it's needed if you don't need a vm you can stop that vm and you won't get charged for it you also get access to powerful vms without having to pay for hardware and that saves you a ton of money you have access to services that are provided by the cloud provider that can help you to manage that infrastructure in your application in azure this includes things like azure security center azure backup azure log analytics and much more you also benefit from the agility that easy and automated scaling provides and you benefit from fault tolerance that's incorporated into the way the cloud provider manages the deployment of that infrastructure a possible drawback of using is is that you must manage the operating system and other software installs yourself you also manage any of the updates that are required for that operating system and software okay so let's look at paths and again we'll look at benefits first in pass the cloud provider manages the operating system and other software installed on the vm the cloud provider usually provides application frameworks that you can use without having to manage any installation yourself of those frameworks and pass also enables a lift and shift capability that means you can easily take your on-premises application and deploy it to the cloud without having to jump through a whole bunch of hoops and stand up any infrastructure past services also offer powerful features that you can enable easily to enhance your application those might be things like authentication powerful logging features and things like that now possible drawbacks of a pass service are first of all a loss of flexibility since you no longer control the infrastructure and what's installed onto it you also have to deal with the fact that the cloud provider may update the os or other components and if that creates an incompatibility with your application it might break your application now to be fair cloud providers usually give you a heads up before they make changes like that so you can usually test your application for compatibility before they make a big change wrapping this up let's look at sas at the top of the cloud pyramid sas typically operates in a pay-as-you-go model meaning that you pay for access to the application you don't have to pay for new versions because you're using that application in a subscription-based model in sas there's also no management overhead at all everything is managed by the cloud provider and because sas applications are usually accessed using a web browser they're often available on just about any device finally because the cloud provider manages everything for you you don't need an it staff to manage anything for a sas application now for drawbacks first of all you're locked into the use case specific to the software service and if that doesn't meet your needs you don't have any way that you can change that fact also if there's an outage you lose complete access to the application now as you move towards adopting the cloud you'll need to weigh the pros and cons of each of these service types against your specific needs deciding to move to the cloud can be complicated some applications are incredibly complex and have dependencies that might be hard to move to the cloud for regulatory reasons or for technical reasons in lesson three we cover the public cloud and why it makes sense for many scenarios we also talk about private cloud scenarios and why it can be a great way for you to take advantage of cloud technologies finally we talk about the mix between public and private cloud when we cover hybrid cloud scenarios and how they can help accelerate your move to the cloud let's wrap up module one with a discussion of public clouds private clouds and hybrid clouds public clouds use infrastructure that's provided by a cloud provider so everyone who uses the cloud shares that same infrastructure and while you can have cloud resources like virtual machines that are allocated specifically to you the infrastructure that that virtual machine runs on is shared with everyone else who uses that public cloud and for that reason public clouds are sometimes referred to as multi-tenant environments in a public cloud you certainly benefit from the agility the cloud provides and you benefit from easy and quick deployment to the cloud you benefit from easy management of cloud resources and as we've already seen there are a lot of cost control benefits to using the public cloud at the same time there are some drawbacks you do have some loss of control in the public cloud how much control you have really relies on where your application sits on the cloud pyramid that we looked at earlier you might also encounter some challenges related to security and regulatory requirements that your application might have and we'll talk about how you can meet some of those challenges in lesson 13. the public cloud also isn't as flexible as operating your own infrastructure for example if you want to host your application on a machine with a very specific configuration you might not have that configuration available to you in the public cloud private clouds use cloud infrastructure that's dedicated to a single company private clouds can be hosted on-premises using infrastructure that's purchased by that company using the cloud but it's more common that private clouds are hosted by a third-party cloud provider for all of the economic reasons we've talked about already because they are dedicated to a single company private clouds are sometimes referred to as single tenant environments in a private cloud you benefit from agility just as you do with the public cloud and you benefit from having a private network that might be something that's required for regulatory reasons in your business private clouds can also be used without internet access so for example a cruise ship might use a private cloud while at sea to manage complex ship systems when they don't have access to the internet private clouds can also help you control costs assuming you host that private cloud with a third-party cloud provider however if you host your infrastructure for your private cloud on premises that can contribute to a much higher cost of ownership you have to buy infrastructure and maintain that also to control costs many companies host their private clouds with a third party but doing so removes some of your agility to control access to your data and that might present you with some regulatory concerns there's a third type of cloud that's becoming more popular as more companies make the move to the cloud and that's the hybrid cloud a hybrid cloud is a mixture of both public and private clouds and in a hybrid cloud you may have an application that's running in the public cloud but that application uses resources that are hosted either on premises or at a third party private cloud provider for example you might have a web app that runs on azure app service but that app uses a database that is hosted on premises a hybrid cloud allows you to keep some systems on premises that can help you to have full governance over those resources a hybrid scenario also makes it much easier to support legacy systems that you might be using for example your application might be using a database technology that isn't available in the public cloud so by using a hybrid cloud you can support that legacy system on premises you also have full control and governance over any of the data and infrastructure that is hosted on premises and that might be something that's critical to you for regulatory or security reasons there are some drawbacks to using a hybrid cloud systems that you host on-premises will need to connect to cloud resources and vice versa and configuring that connectivity can be a technically complex thing to do and it can be hard to troubleshoot when things don't work right you'll also need to ensure that data hosted on premises and in the cloud is compatible and that may require some additional development overhead to ensure that all your resources can properly consume your data and both of these drawbacks are likely going to require that you have additional i.t expertise in your company and that usually means hiring new people or training existing people to meet those challenges welcome to module 2 understand core azure services this module will build on what you learned in module one we'll talk about the core azure architectural components and how azure works under the hood we'll then talk about some of the core products available in azure in areas like networking storage compute and databases you'll also learn about the azure marketplace and how it can make moving to the cloud easier we'll cover topics like the internet of things big data machine learning and serverless computing we'll then wrap up the module by learning about the tools available for configuring and managing your azure services so let's get going welcome to lesson four understand core azure architectural components microsoft azure is complex and massive this lesson gives you a much better understanding of how azure works in this lesson you first learn about the architecture of azure and you peel back some of that complexity then you learn how to better manage your azure resources using resource groups so let's get started the infrastructure for microsoft azure is spread out across the globe in various geographies a geography is just a logical boundary that microsoft has defined and they're often defined by the borders of a country this allows microsoft to assure you that azure data centers comply with regulations that might apply to a specific country so within each geography microsoft has defined two or more regions and a region is also a logical boundary but it's much more localized than a geography each region within a geography is typically separated by hundreds of miles so that a disaster that might happen in one region likely won't impact resources in other regions and that's an important consideration for disaster recovery now within each region microsoft has built data centers these are physical buildings that house the infrastructure that azure uses each data center is climate controlled and each has its own network infrastructure its own isolated power supplies and power generators in case of power failures all of the data that flows into and out of each data center uses fiber optic cables that are either owned or leased by microsoft even data that flows between data centers that are separated by oceans use microsoft's fiber optic cables that lie on the ocean floor so to ensure maximum availability microsoft recommends that customers replicate data in multiple regions so that a problem in one region won't bring down your application to protect your data and applications from a localized problem that might happen at a particular data center microsoft created availability zones and an availability zone is a unique physical location that's within a region and each availability zone contains one or more data centers availability zones aren't available in all azure regions yet but in those regions that do offer them there are at least three separate availability zones defined because each availability zone contains distinct data centers they don't share a common water source a power source or any of the network infrastructure so that means if you deploy your application to two or more availability zones you can ensure maximum availability and in fact microsoft guarantees that a service level agreement of 99.99 uptime can be achieved for azure virtual machines only if two or more vms are deployed into two or more availability zones there are two categories of services that support availability zones zonal services and zone redundant services zonal services such as azure virtual machines are deployed into availability zones explicitly zone redundant services such as sql server databases aren't explicitly deployed into an availability zone instead you specify to make them zone redundant when you create them and then azure takes care of the rest by deploying them into multiple availability zones for you most applications that are deployed to the cloud use more than one azure services you might have a website in azure app service another component running in an azure vm and maybe a database running on azure sql database complex applications can use a lot more services than that in fact and deploying and managing all of these services can get pretty complicated so to make it much easier to deploy and manage a large number of related azure services microsoft developed azure resource manager or arm arm is a service that runs in azure and it's responsible for all of the interaction with azure services so when you create an azure resource arm authenticates you to make sure you have the right access to create that resource and then it talks to a resource provider for the service that you're creating later on in this video we'll talk about the azure portal and using the command line to manage azure resources both of those tools as well as microsoft visual studio use arm to interact with azure services arm provides a consistent and a predictable interface into azure so a management tool such as the azure portal communicates with the arm application programming interface or api and the api passes the request to arm arm then takes that and passes it off to a resource provider that's specific to the type of resource arm also uses what's called a declarative syntax and all requests to arm are declared using text files that are in javascript object notation or json and those json files are called arm templates these arm templates make it really easy to replicate large and and complex deployments at this point you might be thinking that deploying and managing a real world application to the cloud is a little more complex than you first thought when you're dealing with an application that uses multiple azure services some of which might be spread across multiple regions it can be difficult to keep everything organized and under control for that reason arm offers a feature that can really help with that it's called resource groups and a resource group is a logical container for azure resources it can be a huge help with resource management and you can name a resource group with a unique name that helps you identify which application the resources within that resource group are associated with you can also perform certain actions such as deleting resources against an entire resource group with one operation so if you're doing some testing or something like that with a particular deployment and then you want to delete all of those resources after you test it you can simply delete the resource group and then arm will take care of deleting all of those resources within it resource groups also provide a better way to control costs because azure lets you see resource costs of the entire resource group inside of the azure portal and you can apply tags to any of the resources in the resource group so that you can keep them organized but also because tags are displayed in your azure invoice and you can improve your billing experience by tagging resources that should be billed maybe to specific cost centers or using other tags that make sense for your business purposes once you've deployed all your azure resources into a resource group you can save an arm template remember that's those json files that arm uses you can save an arm template that represents that deployment and this makes it incredibly easy to redeploy all of those resources later utilizing that arm template for example you can deploy your application into one region and then you can easily replicate that deployment in more regions using that arm template without having to manually go through the deployment process again welcome to lesson five learn some of the core products available in azure in this lesson we move from azure concepts into specific azure services first we'll talk about azure compute products like azure virtual machines next you learn about azure networking products such as virtual networks azure load balancer azure application gateway and much more we then talk about azure storage solutions and azure database products we wrap up with azure marketplace and how you can use it to jump start your move to the cloud azure compute products allow you to easily and dynamically allocate resources that might be needed for any computing task azure offers many different compute products as shown here and one of the most commonly used compute products is azure virtual machines so let's have a look at how we can easily and quickly create a virtual machine in the azure portal so this is the azure portal where i can create azure resources and manage resources i've already created keep in mind that the azure portal is constantly changing so when you open the portal today it might look a little different than this and in fact we're going to go through the azure portal a little bit more later in this video right now we just want to go over some basics about how we're going to create a virtual machine so since i want to create a virtual machine i'm just going to click right here on create a resource and here i can see the popular azure services and it looks like windows server 2016 data center is right here at the top so i'm just going to click this now the first thing i'm required to do is tell azure which resource group that i want this vm to be in and i've got a resource group that i already created it's called az900 and i'm going to just select that here if i don't already have a resource group for this i can click create new and i can create a new resource group right here at this step now i'll scroll down a little bit this is where i'm going to enter the details for my vm so the first thing i want to do is give my vm a name and i'm going to call this my vm pretty simple name i can call this anything i want to now another thing you might notice here is that it does validate this machine name to ensure that it's valid if i enter something here that's not a valid character it'll automatically fail that validation and show me where that problem is so it really helps you to not make a mistake at this step in the process next thing i need to do is select a region for my vm and you can see i have a lot of different regions available to me i'm just going to leave it at south central us that's a region that's close to me i also have different availability options this is where i could specify to put my vm in an availability zone but notice availability zone is not available here the reason for that is because as i said earlier availability zones aren't available in all azure regions yet and so i can tell here that availability zones are not available in the south central u.s region that doesn't really matter to me right now because i'm not going to select an availability option here and now i can select my operating system notice that i have quite a few different operating systems that i can install onto this vm for right now i'm just going to leave it at windows server 2016 data center and we're not going to talk about instant size at this point i'm just going to leave that at the default i do need to enter in an administrator username and password so i'm going to enter in james che and i will put a password here and it needs to be longer than that well let's see let's do that one right there okay and they do match and at this point i could click next and i could select some disk options and go through some other steps to customize how of this vm gets created but for this demo i'm just going to go ahead and click on review and create and that takes me to this screen which kind of gives me an overview of about how much i can expect to pay for this and some other information including the terms i'm going to go ahead and click create right now and that's going to kick off this deployment of my vm which will take just a few minutes to complete so azure is now deploying my vm deployment of this vm takes about a minute or so to complete azure can complete this process so quickly because it uses containers to deploy these vms and we're going to talk about containers more in just a minute but before that let's have a look at another feature of virtual machines that can help you with fault tolerance and that feature is called availability sets once azure has finished deploying my vm there's a physical hardware rack somewhere in the south central u.s region that contains a host computer for my vm that also means that there's a point of failure for my vm if anything goes wrong with the power or anything else in that rack my vm might be impacted and in fact there's another risk that you might not have thought about remember this is an is vm so i'm responsible for keeping the operating system updated that helps me a bit because it means that i should always be aware if an os update might reboot my vm and impact my availability however an os update isn't the only thing that might cause my machine to get rebooted if azure determines that my vm is unhealthy it could be rebooted in order to get it back to a healthy state and that kind of thing can happen without any notice also azure may actually reboot the host operating system if an update is required and that can also happen without any notice availability sets help you to avoid downtime in both of those situations by using two logical containers called fault domains and update domains a fault domain is designed to protect you from hardware issues or power issues within the physical rack while an update domain protects you from downtime due to the machine either the host computer or or the vm that's on being rebooted so here's how they work in the graphic on the left i have five vms and when i created the first vm azure placed it in fault domain 0 and update domain 0. at this point i have no fault tolerance and no protection from a vm reboot however when i create the second vm azure places it in a separate fault and update domain a vm that's placed in a different fault domain is actually hosted in a different physical rack and that provides fault tolerance update domains protect you from availability issues caused by reboots because azure will never reboot computers that are in separate update domains at the same time now you don't explicitly tell azure which fault domain and which update domain a vm should be in azure takes care of that for you automatically however when you create your availability set you do have to specify the number of update domains and fault domains that you want to create now before we move on to some of the networking products in azure let's talk about one more feature in azure compute that makes it possible to deploy complex applications to the cloud much more easily and that's containers think about what you need to do if you want to deploy a complex application to a vm running in the cloud you'd need to install database components and other dependencies you'd have to configure all your settings you'd have to make sure that database drivers needed by the application are installed and working correctly and on and on so what happens when you want to deploy that same application to a second vm now you got to do all of that stuff all over again and you have to be careful that everything is configured the same way on both vms containers are designed to make that kind of deployment much easier so in this example on this screen i'm showing a docker container and docker is one of the most used container runtimes and here's how it works you create an image which is essentially a zipped image of your application and that image contains an operating system the application itself and any files that requires any necessary modules that the application requires to run any database components that are required for the application to work correctly and maybe the application uses a web server so it would have that web server along with the web service configuration and then also the applications website all of that stuff zipped into that one image anything else that the application requires also zipped into that one image now the docker runtime is running on the vm and when you point that docker runtime to the docker image which gets actually stored in a website called a daca repository docker creates an isolated environment called a container in which it runs your application you can kind of think of the container as being similar to a vm and containers make it very easy to deploy an application in all of its dependencies to the cloud in azure containers are supported in azure kubernetes service azure app service azure container instance and azure virtual machines now let's move on to some of the networking products that are available in azure as we look at networking products we're going to use the interior application shown here as an example now while it's not a requirement to design applications using this model most applications do use an interior approach because it makes it easier to separate the components of the application so in this example we have a web tier which provides the user interface for the application we have a middle tier where we have some business logic to find and we have the data tier that deals with the data that the application uses for security reasons you would typically want to make sure that only the web tier is exposed to the internet and you would also want to ensure that the web tier exposed to the internet can't talk directly to the data tier over the network instead all data is exposed to the web tier through the middle tier now to enforce these kinds of best practices i can use azure virtual networks to segment my network into subnets so this graphic shows the same interior application but now i have an application within an azure virtual network and i've created three different subnets within that virtual network by using subnets i can apply rules that control how network traffic can flow between those subnets and we'll talk a bit more about that in lesson 8 when we talk about securing network traffic in azure okay so remember that we talked earlier about scaling out an application to provide support for more users in this graphic i've done just that for my web tier that's in subnet one i have three vms running my web tier so that i can maintain high availability however there's a problem with this configuration because each of these vms has its own public ip address any particular user of my application is only going to use one specific vm if that vm all of a sudden is under a lot of load that can cause that user to experience slowness or errors for my web app it would be much more ideal if i could just spread the load across all of these vms so that all of my users get a really good performance azure load balancer is a product in azure networking that will make it possible to do that so in this graphic i've added azure load balancer to the mix now instead of a user seeing the ip address of an individual vm everyone that uses my web tier sees the ip address of azure load balancer and not only does azure load balancer distribute traffic evenly across my vms but it can also be configured so that it sends a user to another vm if a problem is experienced with one of these vms and that user won't even know that that's happening now let's dig a little deeper what if i want to send traffic to a specific vm based on the url or what if i want to do something like use a cookie to ensure that a user always gets directed to the same vm maybe i'm storing some state information on that vm for that user and i want to make sure they don't get moved to a different vm or let's say that i want to create a custom error page that might have my company logo on it or maybe i want to offload the handling of ssl traffic from my vm so that they don't have to deal with that overhead to do all of those types of things i need a load balancing solution that understands http the language of the web and thankfully azure has just such a product it's called azure application gateway so in this graphic instead of using azure load balancer i'm now using azure application gateway it does a lot of the same things for me that azure load balancer does but it also understands http traffic and it can fulfill the other requirements that i talked about earlier that deal specifically with web traffic and even better i can add another networking product called web application firewall to my application gateway and that can help prevent bad guys from accessing my virtual network across the internet okay switching gears again just a little bit remember in lesson three when we talked about hybrid clouds i said then that one of the drawbacks to a hybrid cloud scenario was configuring communication between on-premises resources and cloud resources well azure offers a networking product designed to make that kind of connectivity a little bit easier and it's called vpn gateway vpn gateway connects your azure resources to on-premises resources using an encrypted virtual private network tunnel as shown in this graphic and there are multiple vpn gateway connection types that are available in azure site-to-site vpn connects your azure v-net to a single on-premises location although there's also a multi-site variant that will allow for connection to multiple locations a point-to-site vpn connection connects a single on-premises client to your azure v-net multiple clients can still connect but each one of those clients is going to connect over its own separate vpn client a v-net to v-net connection connects two azure v-nets to each other that's often used to connect to azure v-nets that might exist within separate azure regions the next networking product we'll talk about is azure content delivery network or cdn a cdn is an effective way of delivering large files or streaming content over the internet and it does this by storing cached copies of files in multiple geographic locations and it stores those files in a special server that's called a point of presence or a pop server but these servers are more commonly called edge servers content on these edge servers has a time to live property that tells the server how long to keep that cached copy of that content so when a request for a file comes to an edge server it checks to see if it has a cached copy of that file and if it does it'll use that cached copy to service that request really fast if the file doesn't exist in the cache the edge server requests that file from its original location and then it caches that file for the time period that's specified in the time to live property okay let's wrap up our discussion of networking products with azure traffic manager azure traffic manager is a dns based system that's designed to increase the speed and the reliability of your application so to use azure traffic manager you configure one or more endpoints and an endpoint is just simply a resource that you want users to connect to traffic manager can easily be configured with endpoints for a public ip associated with an azure vm or a web app that's running an azure app service or a cloud service that's hosted in azure but you can also configure an endpoint for resources that are hosted on premise or even on another cloud provider traffic manager works by responding to dns lookups for a specific resource and because traffic manager is dns based only the dns lookup flows through the traffic manager once that dns record is returned to the requesting client traffic will then flow directly to the endpoint and it won't flow through traffic manager at all traffic manager supports numerous different routing rules based on different usage scenarios and they're all outlined on this slide here so first rule is priority and that sends traffic to a priority endpoint but if something happens with that priority endpoint it can send it to a backup endpoint so that availability isn't impacted another rule is the weighted rule and that allows you to specify weights for your endpoints and then traffic gets distributed across those endpoints by default it's going to send traffic evenly between those endpoints but you can control how much weight a specific endpoint gets in that distribution by specifying a weight property performance uses the endpoint with the lowest network latency geographic will route that user to an endpoint based on the location of the dns server where the lookup happens multi-value will return all the endpoints using a specific ip protocol version that could be either ipv4 or ipv6 and then subnet routes based on the end user's ip address range let's talk about azure storage products and when i say azure storage i'm simply talking about azure products that can store data that an application uses whether you need to store data temporarily on disk on your vm or you need a more long-term storage solution there's probably an azure storage product that's going to meet your needs azure offers four different storage products blob storage queue storage disk storage and azure files blob storage is designed to provide storage of unstructured data that might include text files images videos documents and other types of data that doesn't have a defined structure an entity that's stored in blob storage is referred to as a blob and there are three types of blobs block blobs are used for storing files that an application might need to use append blobs also store files but they're specifically designed to be efficient for files that need to be appended often a good example might be something like a diagnostic log that your application updates often a page blob is designed to store virtual hard drive files or vhd's that are used in azure vms and we'll talk more about that in just a minute when we cover azure disk storage all blobs in blob storage are organized using storage containers so you might for example have a container for storing videos and another container for storing images and so on azure doesn't dictate how you organize your containers all of that is completely up to you microsoft prices blob storage in pricing tiers according to how often you access the data and how long you store the data the hot storage tier is for data that needs to be accessed often the cost for storage in the hot storage tier is the highest but the price for accessing the data is low the cool tier on the other hand is for data that needs to be stored for longer periods but not accessed this often it has a lower cost for storage but the cost for access is higher and there's also an archive tier for data that needs to be stored for really long periods storage costs for the archived tier are the lowest that are available out of the three tiers but the access costs are the highest microsoft guarantees access to the first byte of data in the hot and cool tiers within milliseconds but because the archive tier is designed for long-term archival storage access to the first byte is guaranteed within 15 hours azure queue storage makes it possible to create a cloud-based message queue for an application the application can access these messages that are stored in azure queue storage in order to do things like keep track of long-running operations or perform complex multi-step operations in a specific order q storage can process millions of messages up to 64 kilobytes in size each and it does so asynchronously access to cue storage is protected either by azure active directory or by a shared access key when an application needs to interact with cue storage it does so using an api and microsoft provides apis for net java node.js c plus plus php python and ruby so you can use q storage with just about any application out there and by the way the application doesn't have to be in azure you can access queue storage from an application on premises in azure or you can host your application in another cloud provider and still use azure queue storage disk storage is used for storing disk images used in azure vms when you create a vm in azure a disk does get created for you and it does get mounted to that vm so you can store files on it but if there's a maintenance event on that vm or if you deploy a new vm you don't have access to the data that's on that disk it's not available to you anymore so if you want persistent disk storage for an azure vm you can store a disk image in disk storage disk storage offers both traditional hard disk drives and also solid state drives but because hard disk drives are less reliable they're cheaper but they're also recommended only for non-critical data azure disks under the hood are stored in blob storage and they're available in two different varieties unmanaged disks use your azure storage account and that means you have to manage that account by yourself it also means that if you have heavy disk usage azure might throttle your storage account and that can lead to availability problems with your application if you use managed disks microsoft manages the storage account for you and they also remove all of the storage limitations that might cause throttling that makes managed disks way superior to unmanaged disks and in fact microsoft recommends managed disk for all new vms and if you have existing vms that use unmanaged disks they recommend that you move those disks to manage disks so azure disks are a great solution when you want a disk for your azure vm but what if you just want disk storage in the cloud but you don't need a vm if you want cloud-based disk storage but you don't want the overhead of managing a vm azure files offers you that option azure files uses a standard smb file share to mount to the disk and that means it can be accessed by cloud-based or on-premises computers if you're accessing cloud-based files over smb from an on-premises machine you're going to notice slower file transfers because it has to transfer those files over the network to solve that problem microsoft offers a free utility called azure file sync if you install azure file sync on your on-premises server it keeps all of your files and azure files synced with that on-premises server so you can just point your on-premises application to that on-premises server for really fast file access but all of those files are also synchronized in the cloud in azure files so that wraps up the storage products we'll cover let's now have a look at some of the database products that are offered in azure azure offers many different database offerings let's start by looking at azure sql database this is a pass offering for sql server databases in the cloud sql server databases are relational databases that are made up of tables of data and each of these tables has a schema that's associated with it that describes what the table should look like for example a schema might define that a table contains a number for the record id a first name a last name and a date field data that you add to that table must comply with that schema relational databases also typically have numerous tables and some of those tables may be related to each other for example a customers table might contain data on all of your customers and an orders table might contain all of your orders with a reference to a customer in the customers table for each order azure offers three different deployment options for azure sql database single database elastic pool and managed instance so let's quickly have a look at each of these options the single database option is simply a sql server database in the cloud that's managed by microsoft it's offered in two models the dtu model and the v core model the dtu model has fixed pricing but it lacks flexibility it also imposes pre-configured limits on transactions against the database as well as cpu storage and memory you can scale from basic to standard or premium to increase the limits but that's your only scaling option in other words you don't have the option to scale only memory or only cpu configuration in the dtu model the v core model offers much greater visibility into resource usage such as your cpu usage your storage usage and your memory and you can also configure the limits and usage of these resources as needed you also have the availability to scale individual resources rather than simply moving to a different database tier the elastic pool deployment option consists of more than one database and actually usually a really large number of databases that are all managed by the same sql database server this option is really geared towards sas offerings where you might want groups of users or individual users to have their own database you can easily move databases into and out of the elastic pool and you're charged only for the resource usage of the pool you're not charged for individual databases that are in the pool managed instances are designed for users who want an easy path to migrate on-premises databases to the cloud and they're fully compatible with on-premises sql server microsoft offers a database migration service or dms for easy migration and once your data has been migrated dms can synchronize the data between the source on-premises database and azure sql database in order for dms to work though you'll need either vpn or a service like express route and you can learn more about express route by visiting aka dot ms slash express route in addition to azure sql database microsoft also offers a fully managed mysql offering called azure database for mysql azure database for mysql offers pay-as-you-go pricing and automatic backups and you can be confident that your databases are secure because azure database for mysql offers enterprise grade security and compliance your databases are easily scalable in seconds and you can use your existing toolset of any of your open source tools so you don't have to worry about learning new proprietary tools to manage your databases if you need a cloud-based nosql offering azure offers azure cosmos db no sql databases are they're not relational databases they don't care what kind of data you store in them for example if you want to start storing your customers birthdays in your database you simply add the birthday to your data and then add it to the database if a customer doesn't have a birthday in the database it doesn't matter the database doesn't care because there's no schema when you create a cosmos db database in azure you choose the api you want to use and that determines the database type the core api creates a document database where data stored as structural strings of texts and you can query that using sql syntax a good choice if you want to want your users to be able to use a query language but that maybe they're more familiar with the azure cosmos db for mongodb api also creates a document database but that database allows for easy migration of an existing mongodb database to the cloud a cassandra database is a column database that can scale really well and it provides very fast access to a large amount of data and the cassandra api makes it easy to migrate existing cassandra databases to cosmos db if you want to migrate data that's in azure table storage to cosmos db you can use the azure table api this will create a key value nosql database and finally you can use the gremlin api to create a gremlin graph database that's suitable for easy migration of an existing gremlin database to the cloud one of the key advantages to azure cosmos db is the ability to easily scale and replicate databases globally using what microsoft calls turnkey global distribution so here you can see my cosmos db in the azure portal if i want to replicate my database to another region i simply click on that region and azure takes care of all the rest for me so you can see why microsoft calls this turnkey global distribution it's not the cleverest name in the world but it clearly describes exactly what this is and it's pretty cool we'll wrap up our discussion of core azure products with an overview of the azure marketplace in lesson four we talked about azure resource manager or arm and the fact that azure resources can be defined and deployed using arm templates and while you can certainly create your own arm templates you can also take advantage of many existing arm templates created by microsoft and by third parties to deploy azure resources really easily microsoft makes these templates available in the azure marketplace that's available in the azure portal so if i click right here in the portal on create a resource it takes me right here to the azure marketplace and from here i can click on one of the categories of items over here on the left or i can choose from a list of popular azure offerings and i can also enter a search term in the search box right here and that allows me to search all of the marketplace templates if i want to narrow down my search even more i can click on see all right here and from here i can still search the marketplace but i can also filter by price i can filter by operating system or i can filter by publisher if i find a particular template that i really like and i want to have quick and easy access to it i can just click right here on this little heart and that adds it to my saved list and then i can access my saved list easily by just clicking right here now some of the templates in the marketplace deploy a single resource but others might deploy many resources that all combine together to make a single solution for example if i scroll down here and i click on web here under blogs and cms i have the option of easily creating a popular cms application in azure and each of these will create multiple resources in azure to support that application however when i get my azure bill i'll only see the charge for the marketplace offering i'm using i won't see a complicated invoice for a long list of resources used by that template if i want to use one of these templates all i have to do is click on it and then i can click create right here to kick off that process now the create process differs depending on which template i use but once i specify all of the required options i can click on create here at the bottom and that finishes off the process it's that easy some of the most interesting and cutting edge technologies rely on the cloud and in lesson six learn some of the solutions available in azure we talk about just a few of these technologies we start off with the internet of things and some of the great offerings in azure that can help you to connect and manage devices of all kinds we then talk about big data offerings and how azure makes it much easier to store huge amounts of data and analyze those data we also talk about artificial intelligence and machine learning and finally we cover serverless computing in azure this is going to be fun so let's get started now that we've covered some of the core products in azure let's have a look at some of the solutions that are available in azure and again we're just skimming the surface and giving you the information you need for the azure fundamentals exam we'll start off with the internet of things just about every consumer device that you can think of these days offers some kind of internet connectivity we have cameras that connect to the internet scales that send our weight to the cloud av equipment that stream content and store our preferences in the cloud and even cars that connect to the internet all of these things make up the internet of things or iot and we're talking really big numbers here in fact it's estimated that there are currently over 25 billion iot devices today that's billion with a b and by 2025 that number is expected to grow to over 75 billion think about that the entire population of the world is only around 8 billion so that means that these iot devices outnumber people by a really wide margin now as you might imagine azure offers services that can help you to manage iot devices in the cloud and we're going to look at two of them starting with azure iot hub iot hub is a pass offering for managing the communication between your application and iot devices it supports virtually any iot device and you can have up to 1 million devices in a single iot hub instance and iot hub makes managing all of those devices easy so let's have a look at that in the azure portal this is an iot hub instance that i created earlier and if i scroll down here i can select iot devices from this menu and now i can see all of the devices that i've added to this iot hub i only have two devices here but as i said earlier you can have up to a million devices in a single iot hub now if i click on one of these devices i can send a message to this device or i can use direct method here to run a command on my device and pass parameters to it i can also use iot hub to upload files to a device by clicking right here on file upload for example i might want to upload new firmware to my device and i can do that right here another cool feature in iot hub is the ability to route messages so if i click on message routing i can configure message routes for any messages that come from my device i can choose to route device telemetry configuration changes and much more by just clicking on add right here and here i can give my route a name i can add an endpoint and an endpoint can be a storage container event hub service bus cues service bus topics i can choose what data source i want and then i can enable or disable the route i can even write a route query so that i can query the body of that message and route only messages that match a certain query of course i can scale my iot hub if i need additional capabilities i'll scroll up here and i just click on pricing and scale and you can see here that i'm currently using the s1 standard tier but if i click on this i can switch to a higher level tier to get more capabilities at an increased cost you can see here that with the s1 tier i get 400 000 messages per day included in my 25 per month charge by the way notice here that the basic tiers are grayed out that's because you can't downgrade in iot hubs tier you can upgrade your tier so if i had created this iot hub in the basic tier i'd be able to upgrade it to the standard tier but i can't go from the standard tier down to the basic tier so that's iot hub now let's have a look at iot central iot central is a sas offering with easy management of iot devices and because it's a sas offering you don't have to create any azure resources to use it you do however need an azure subscription for billing purposes iot central is a pay as you go service so you only pay for the devices that you add to your iot central application to make things easier iot central offers many pre-configured templates for creating applications let's have a quick look at that and see how that works to access iot central i just browse to https apps.azureiotcentral.com and from here on the iot central homepage i can scroll down and i can select my industry either retail energy or government or healthcare to get a list of templates that are kind of customized for the types of things that my industry typically does but if i don't see my industry i can scroll down and and i can click on create a custom app and that allows me to create my own new customized app and here's where i can give my iot central app a name and a url remember this is a sas platform so the application i create here will be accessed using a web browser so i'm going to enter in here az900 central that's going to be my application name and notice when i do that iot central creates a recommended url automatically i can change that if i want to but i'm okay with it as it is i'm going to choose to create this as a legacy application because that doesn't use any preview features that are still in development i can choose right here to make this a seven day free trial but in my case i'm going to create this in my azure subscription so i'm going to go down here and choose my directory this is my azure active directory directory and now i can choose a location i'm going to choose united states because that's where i am and finally i can just click on create to create this application once my application is provisioned i'm taken to the home screen here now microsoft makes it easy to proceed from here by providing links directly to quick start demos tutorials and documentation so let's go ahead and add a device by clicking on create device template and the template i'm going to use is the mx chip template this is a cool iot device that microsoft sells so that you can experiment with a ton of different sensors as you test the different iot solutions in azure if you want to learn more about it check out ms aka.ms.gov iot dash dev kit i can give my template a name that i choose or i can accept the default and then i'm just going to click create to create my template now what i've just done is created a simulated device and that's okay for this demo now i can see data that's starting to come in from my device now by default it's only showing data from these accelerometers but i can enable data from other sensors by just clicking on the little eyeball here and that turns those sensors on so if i click here on humidity that gives me the data from the humidity sensor right here i can also see settings for this device by clicking here on settings i can see properties by clicking on properties and i can run commands on my device by clicking on commands and so on for rules and dashboard by simply interacting with a single device it might not be very efficient especially if i have a lot of iot devices and that's where device sets come into place so if i click here on device sets i can see that i have a default device set that includes all devices for my mxchip device template any new device that i add using this specific template is going to be included in this device set but i can create my own device set as well for example if i'm managing iot devices in a large high-rise building i might want to create a device set for all devices on a particular floor and then i can then interact with all of those devices easily by clicking on jobs right here so if i click new right here to create a new device set i could name these like floor 14 devices and then i can select a device template here it might be the mx chip template but it might be other templates that i've used as well in this case i'll just choose this and now all i have to do is click on save and that saves my new device set now when i click on jobs i can add a new job here and i can choose a device set for that job so if i wanted to for example reboot all of the devices that are on the 14th floor i could actually do that through a job here by targeting that specific device set another powerful feature in iot central is the ability to export data from iot central to azure blob storage azure event hubs or azure service bus this adds a lot of power without a lot of management overhead because of the simplicity of using a sas solution for managing my iot devices all of my export options are available here in data export so i'm going to say okay to that because i didn't save those changes so i can click new right here and i can choose where i want my data to be exported let's say i want to export it to blob storage and then i can choose my storage account my container and what format i want that data exported to all right let's move on to some of the solutions available in the area of big data and analytics azure has offerings such as azure sql data warehouse azure data lake storage and azure hd insight for dealing with big data but what exactly do we mean when we say big data well in a nutshell big data means more data than you can analyze through conventional means within a desired time frame think about azure itself and how much telemetry and diagnostic data exists on all of azure's infrastructure microsoft relies on being able to carefully and efficiently analyze all of that data in order to ensure that they can detect and act on problems early on and meet their guaranteed slas that's a good example of what big data really means by storing all of this data in a data warehouse you can throw enormous computing resources at data analysis allowing you to analyze the data much more quickly analysis of big data can be performed using azure hdinsight something we'll talk about later in this lesson but right now let's talk about where you actually store big data first let's talk about azure sql data warehouse sql data warehouse is designed to store relational data in fact the data stored in sql data warehouse is in a form similar to sql server tables and you can even perform queries against it using sql query language sql data warehouse is secured using either sql server authentication or azure active directory and all the data that's stored in sql data warehouse is encrypted using 256-bit encryption you can quickly and easily scale your sql data warehouse instance to ensure that the performance you need is what you want and you can also control your cost that way you can even pause an instance if you don't need it temporarily and while that instance is paused you won't be charged for it sql data warehouse also offers two different performance tiers the gen 1 tier measures resources in sql data warehouse units or dwu's when you need to scale you just add or reduce the number of dwu's the gen 2 tier measures resources in compute data warehouse units or cdws the difference is that gen2 tier uses a local disk based cache and that gives you much better performance azure data lake storage is designed for data that's not relational data and data lake storage is stored in containers and each container usually contains data that's related there are actually two different modes for accessing data in data lake storage there's object-based mode and there's file based mode data lake storage allows you to organize objects into a system of directories that are much like the directories on your computer and by doing that you can use both modes to analyze data microsoft calls this multi-modal storage and data lake storage is the first cloud-based solution to offer this capability because data in data lake storage isn't stored in a relational way it's not really suitable for presenting to human beings humans work better with data that's relational and for that reason data in data lake storage is often moved to sql data warehouse for presentation billing for data lake storage is similar to azure blob storage billing it's available in hot cool and archived tiers so the hot tier has the highest storage cost and the lowers lowest access costs and the archived tier has the lowest storage cost and the highest access costs as i said earlier you can use azure hdinsight to perform analysis of big data azure hdinsight is microsoft's managed implementation of hadoop and that's a popular data analytics platform however hdinsight also supports other cluster types it supports hbase storm spark interactive query r server and kafka hdinsight uses clustered computers called nodes for data analysis and you're build on a per hour basis for your use of those nodes now let's move to a discussion on some of the artificial intelligence solutions available to you in azure sir arthur c clarke wrote any sufficiently advanced technology is indistinguishable from magic while i'm sure he wasn't thinking of artificial intelligence when he wrote this and i know this because artificial intelligence hadn't yet been invented ai does apply to the statement however ai is not magic it's mathematics there are two types of ai artificial narrow intelligence or weak ai and artificial general intelligence or strong ai when some people think of ai they think of an advanced robotic entity set upon destroying humanity and that kind of ai would be classified as strong ai and fortunately strong ai is currently science fiction all of the ai that we currently use is weak ai and that simply means that ai that can perform one specific task much more efficiently than a human can ai uses a digital neural network that's similar to the way our brains work each part of this neural network takes input it processes it and it provides an output each part of that neural network can communicate and it can share data with other parts of the neural network there are many methods ai can use to process input but the two most common are natural language understanding and machine learning natural language understanding refers to a computer's ability to understand human speech machine learning can be used for many purposes but one of the most common purposes is image and pattern recognition because the computer learns by analyzing huge amounts of data all ai relies on big data microsoft offers many different services related to ai and machine learning azure cognitive services includes many services such as computer vision which is a service for recognizing face text and handwriting in images microsoft speech for recognizing transcribing and translating speech language understanding intelligence service or lewis which is a natural language service that uses machine learning to understand speech and take action on it an azure search and bing search for searching on specific data and building complex data sets microsoft also supports many popular machine learning frameworks including onyx pi torch tensorflow and scikit-learn we've already seen that big data can be stored in azure sql data warehouse in azure data lake storage however data stored in these solutions is often difficult to use for building machine learning models a machine learning model also frequently needs to consume data from multiple sources not just a single data store for that reason microsoft developed azure data breaks azure data bricks is an ideal solution for accumulating and organizing and forming data to be used in a machine learning model and in data bricks data can be organized and visualized and documented in virtual notebooks for training a machine learning model databricks uses the databricks runtime for ml but you can also use third-party machine learning tools if you prefer and once you've developed your model you can export it from data bricks in ml parlance we call that productionalizing the model using either m-leap or data bricks ml model export m-leap is a system that can execute the model and make predictions based on that model databricks ml model export allows you to export your ml models for use in other machine learning platforms and it's really geared towards apache spark based machine learning models the azure machine learning service provides a cloud-based solution for building machine learning models it uses the python language to build machine learning models unlike databricks machine learning service allows you to build data sets on premises and then upload them to azure for machine learning modeling these models are then trained in a cluster of computers in machine learning service after which they can then be exported as a docker image or a field programmable gate array or fpga image field programmable gate arrays are similar to microprocessors but unlike microprocessors they can be programmed by the consumer after the manufacturing process and that means that they can be programmed explicitly for a very specific task that makes them incredibly fast microsoft also has developed a sas solution for machine learning called azure machine learning studio machine learning studio is a web-based drag-and-drop environment for building and training and testing machine learning models it uses pre-built machine learning components including sample data sets that contain large numbers of rows so you can experiment with your machine learning models once a model has been developed in machine learning studio you can export it to a web service so that users can use it inside of a web browser to access machine learning studio you can browse to https colon slash studio.azureml.net and if you want to really dig into machine learning studio i have a step-by-step walkthrough in my az 900 exam rep from microsoft press we don't really go into it in this video and with that we're going to go ahead and transition to serverless computing in azure okay i'll be the first to admit that the term serverless computing is a little confusing when we say serverless computing we don't really mean computing without a computer what we mean is using computing power without explicitly allocating a server only for your use think of it this way here's a typical azure data center and within this data center there are many virtual machines that microsoft makes available to its customers some of these vms the ones with the blue screen are actually being used by customers right now others the ones with the gray screen are not currently being used by customers but they're still out there and available in the data center so that microsoft can quickly make them available if customers need them serverless computing allows microsoft to monetize those unused vms and it also allows for you to use a computer to quickly run some code without having to pay for a provision vm allocated only for you when your code's not running you're not paying for anything it's a win for you and it's a win for microsoft microsoft has a few different offerings for serverless computing in azure azure functions represents the azure compute component of serverless computing azure functions lets you run serverless trigger based code that means your code runs when something triggers it and a trigger could be someone hitting a particular url a certain time period elapsing many other different types of things functions run on azure app service infrastructure and that means your apps running in functions benefit from many of the powerful features that are provided by app service in order to control your cost your function app can be controlled with a quota and once your daily quota is met azure will stop the function app until the next day functions offers multiple runtimes including net java and javascript and code can use output bindings allowing you to create some complex workflows that share data from your function app with other services now similar to function apps logic apps allow you to create serverless workflows but logic apps use a drag and drop interface to create workflows logic apps use connectors triggers and actions to build workflows a connector really just connects logic apps with another service and a trigger tells logic apps when it should start a workflow and then an action tells logic apps what to do when that trigger gets fired logic app workflows are built using json files but as i said a minute ago microsoft provides a nice drag and drop interface and these json files are created for you under the hood you can build some really complex enterprise level workflows with logic apps because multiple actions can occur within a single workflow as an example of a logic app workflow think of maybe an e-commerce site that's processing customer orders and when a customer orders a product you might want to update your inventory count for that product and then generate an invoice for the customer and then email that invoice to the customer and then maybe sign the customer up for your mailing list and then generate a shipping label so that customer's order gets to them in a timely way using logic app workflows you can do all of those things automatically and you can even call an azure function app within a logic app which makes the workflows even more powerful now in some cases you might want to perform an action in a logic app or a function app when an event occurs related to another azure resources and you could certainly have some code that does something like checks that azure resource at a regular interval but that would be pretty inefficient instead it would be much better if your azure service could trigger an event that you could listen for in your application and that's exactly what azure event grid is designed to do azure event grid fires off events that are triggered by azure resources other services can then listen for those events and then they can trigger something to happen when that event occurs azure event grid is designed for use with services like azure functions and and logic apps not all azure services are currently enabled for event grid but more services are being added all the time and it's extremely cost efficient the first 100 000 operations per month are free and after that point you only pay pennies for every million operations in event grid you've already learned about azure resource manager or arm in lesson seven understand azure management tools you learn about the tools that use arm to help you create and manage azure resources first we cover the azure portal and you learn some of the neat tricks to be more efficient in using it we then talk about using azure's az powershell module in the azure command line interface or cli tools that allow you to be a real power user in azure and finally you learn about azure advisor and how it can help you configure your applications for high availability security and performance creating and managing azure resources is easy using the azure portal the portal is a web-based management portal for azure resources it's fully customizable and you can even customize it for individual users individual parts of the portal can also be customized and that provides you the kind of flexibility that you might need for specific use cases as we'll look at here in just a minute so let's have a look at the portal and some of the features that it offers to get to the azure portal you just browse to portal.azure.com as i've done here and that will take you right here to the portal home page so like azure itself the portal is ever changing as microsoft makes improvements and they make interface changes and that kind of thing so the portal that you see when you browse there today might not look exactly like you see here but the functionality is going to be the same so let's look at a few of the features that are available in the portal if i go up here and click on this gear icon that allows me to customize the look and the feel of the portal and this is where i can choose my default view which right now is set to home but i can also choose dashboard i'll show you that here in just a second you can also choose your color scheme here so i can choose between the default which is selected now or a darker color scheme or a high contrast color scheme keep in mind that any of these settings that you change are actually associated with your azure subscription it's not associated with this particular computer and that means that any changes that i make here are going to apply to the azure portal on any computer that i use to access it so the default view in the portal is the home view as i showed you right here but if i click on dashboard and then refresh the portal by just clicking microsoft azure up here in the corner that's going to take me to this view which is the dashboard view and the dashboard is a great way to get a customized view that just includes what you want to see each of the tiles that you see here on the dashboard can be customized so if i go to one of these slot one of these tiles here and click on this little button in the upper corner i can customize that by clicking customize and now you can see i have this grid view along with the ability to change the size of the tile that i'm editing here i can remove it from the dashboard or i can also move it around so if i wanted this to exist over here i can just drag and drop it there and when i'm finished i just click done customizing and now that change has been saved i can also create a new dashboard right now i'm using this dashboard called jim's dashboard but if i click this button right here that allows me to actually create a new dashboard and i'm going to call this one i'll just call this new dashboard and now i have this tile gallery on the left hand side here i can just drag and drop any tiles that i need on my dashboard or i can click add dragging and dropping is usually easier because then you can customize exactly where you want that to go so i'm going to put resource groups right here and i'm actually going to customize that and make it just a little bit different size here like that then i can scroll down i can select clock stick that here i can go down and look at all the different tiles that are available here including marketplace which we've looked at earlier so i can put that here if i want easy access to that once i finish getting the dashboard the way i want it i just click done customizing and now you can see that i'm looking at new dashboard right here but i can also switch back over to jim's dashboard so any dashboards that you create you can very easily switch between them right here using this menu and that allows you to create dashboards that are specific to a particular use case so for example if i go into this az900 resource group that we've been using in some of our demos and maybe i'll go into let's say let's see what's in here well i've got a vm right here so let's go into that virtual machine and when i go into this virtual machine notice i've got cpu usage right here and i'm thinking to myself wow i'd like to keep an eye on that i don't really want to have to drill into this vm to do that so if i click this button right here that's actually going to pin that to my dashboard you can see that pinned to my dashboard so now when i go back to my dashboard i also have cpu usage for that particular vm right here on my dashboard and i can edit this and kind of move this if i say i don't want to have to scroll down to see that i'd really kind of like to have that further up here maybe above some of these other tiles so that it's really obvious to me and done customizing so now i have a very clear view and this is live this is not a static image this is actually showing me live data that's updating from that vm and then if i want to drill into that i can just click in here and it'll allow me to drill into that more so that allows you to really get a customized experience with the dashboard if i want to create a new azure resource from the portal i just click on the menu button right here and i can click create a resource but i can also scroll down and look at some of my existing resources so like for example virtual machines if i click that it'll show me the virtual machines that i have and by the way clicking on create a resource takes us as we've seen earlier to the azure marketplace so as you can see the azure portal is a powerful and flexible way to manage azure resources however there are some situations where you might want to create or manage resources programmatically or you might want to script operations related to your actual resources so that you can perform a complex series of management tasks without any interaction and for those types of scenarios microsoft offers other ways of interacting with azure resources so let's look at those other options you have that are more geared towards the command line one powerful way for interacting with your azure resources is by using powershell and the az module the az module is a powershell module that makes it easy to create and manage azure resources and you can even write powershell scripts that automate working with your resources and while many people think that powershell is a windows only tool it's actually cross-platform now and microsoft makes it available for windows mac os and linux you don't have to know how to run powershell commands for the az900 exam so i'm not going to go into how you install powershell and how you've configured the azmodule however if you do a quick internet search you can find microsoft's documentation that will walk you through that process it's also detailed in my az 900 exam ref book from microsoft press powershell commands consist of a verb such as get new start something like that followed by an object such as azvm for a virtual machine or a z web app for a web app so let's have a look at how that works in powershell so this is powershell running here on my mac let's look at an example of how the az module works first i have to log into my azure account which by the way you have to do each time that you launch powershell so to do that i need a couple of pieces of information i need to know my azure active directories tenant id and i need to know my subscription id so let's flip over to the azure portal real quick and if i click right here on azure active directory i can see the tenant id for my directory right here so if i click this button it'll copy that to the clipboard so i'm going to do that and then let's switch back over to powershell and to log in i use the connect az account command so i'm going to type connect az account and i'm going to pass it that tenant which i'm just going to paste from the clipboard right here that's the tenant that i just got from the portal now next i need to know my subscription id and that's going to be passed in with subscription let's go back over to the portal and grab that real quick so i'll go to home right here and i need to pull up my azure subscription so i'm just going to actually if i click right here i can see i've already pulled it up but you can also as i've shown you before you can search for it there are lots of different ways that you can get to things in the azure portal so these are the subscriptions that i have and this is the one we're using notice the other one over here is disabled so i'm going to click on this actually that's this is my subscription id but i want to be able to copy it so i'm going to click this and just as i did with the tenant id earlier i have a button here that i can copy that to the clipboard with so let's do that and then back over to our terminal i can just paste that right here and that's the command that will connect this powershell session with that azure subscription so i'll hit enter and now notice it's telling me to go to microsoft.com device login and enter this code so i'm going to do that quickly here and that code i'll paste it in from there i'll sign in with the azure account that i want to use and now it says i've signed into microsoft powershell i can go ahead and close this window i'll do that and flip back over to powershell and now we can see that i am logged into my azure subscription now let's have a look at my vms that i have in my subscription if i run get.azvm i can see the list of azure virtual machines that are under my subscription and i can actually perform some operations under these so if i want to start that vm that's called az 900 i run start dash azvm that's the command that i'm going to use now i'm going to pass to it the resource group name and that is az900 the vm name is actually az900 vm so i'm just going to say dash name and then az900 vm simple as that i'll hit enter right here and now i can see that vm is running and along those same lines i can say stop azvm and i can pass in the same information here it's the same vm obviously it asks me in this case if i want to perform this operation that's because if i stop a vm it's no longer available i want to make sure i don't do that by by accident if i were scripting this and i don't want to have to respond to a prompt like this i can also use a dash force option which will prevent it from actually prompting me whether i want to continue i'm just going to say yes here and now i see that virtual machine is stopped so each azure resource type will have commands that are associated with it and the best way to learn these commands and and find the documentation on how to use them is to browse to aka dot ms slash azps that'll take you to the [Music] azure powershell documentation it'll give you details on how to install powershell how to configure it how to log into your azure account and then also a reference for all of the different commands that you have all right now let's talk about another command line tool for managing azure resources and that's the azure command line interface or cli like the az module in powershell the azure cli is a command line tool that's used to manage azure resources now a while back azure cli was the only cross-platform command line tool but now that powershell is also cross-platform your choice of command line tools for azure really boils down to which tool you're comfortable with so let's have a look at the azure cli i'm going to switch over to a terminal window real quick so i'm here in a terminal window i've actually installed the azure cli i'm not going to go through the installation instructions here but you can find them by browsing to aka dot ms slash cli they're going to differ depending on which operating system you're running just as i did with powershell i first need to log in to my azure account and with the cli i do that by entering az space login and when i hit enter here that's going to actually open a browser window where i can log in so i'll just select my account and once i do that now i'm logged into the cli and by the way this window automatically redirects to the cli documentation within a few seconds so if you leave this open it'll automatically give you quick access to the docs like that all right switch back over here to the terminal and you can see that i have some output here that shows my subscriptions this output actually is in json format and you'll see here in a minute that the cli actually outputs everything by default in json so now that i'm logged in um let's run through the same example that i used in powershell first let's list my vm so to do that i'll run az anything that you start with az is going to automatically run the azure cli that's how you actually access it from your terminal so i'll do ac space vm space list and that's going to give me a list of the vms that are in my subscription and as i said before you get json format by default um this is coming back directly from arm and remember arm uses json so that's why the output is in json however for this example i really want to see the output in a table like i did in powershell it just makes it easier for me to kind of deal with that output and understand what's going on and so what i'm going to do is run the same command a z space vm space list but this time i'm going to use the output parameter and i'm going to tell it i want an output in a table so i'll hit enter here and now i have the list of vms in a table format that's a lot easier for me as a human to read now let's start this az 900 vm like i did in powershell i can do that pretty easily i just run a z space vm space start and like i did before i'll pass in the name az 900 vm and i'm also going to pass in the resource group which is az 900 and then i'll hit enter now this running that you see right here is not actually my vm what it's saying is it's running the command i just entered so i need to wait here for just a few seconds for this to actually start that vm and give me some output and notice that with the cli it doesn't actually show you that it succeeded that command but if you don't get an error message takes you right back to the command prompt that means that everything is is good to go so this means my vm is now running so now i can if i want to stop that vm i can just run a z vm space stop and just like i did before i'm going to pass the name and by the way this is not case sensitive i've used an uppercase vm when i did this before you don't have to it doesn't care whether you use the right case or not so the only thing i've changed here is instead of start i'm using stop i'm going to hit enter and now my vm is stopped so incidentally the azure cli has a pretty powerful help system uh if you don't know a command you can use dash dash help to get more information so i can say azvm-help and that's going to show me all the commands that i can run against a vm and if i want some details on a specific command so azvm start for example i can just pass dash dash help to that and that shows me all the parameters i can pass to that command it also shows me other information along with some examples of command lines so that's a really good way to figure out how to do things within the azure cli now let's look at another tool for managing azure resources and that's azure advisor azure advisor is a tool available in the azure portal that helps you to configure high availability efficiency and security and it does this by offering recommendations in the areas of high availability security and performance for your azure resources so let's head over to the azure portal and have a look at the azure advisor in a real-time way with some of the azure resources that i've already created so just as with uh other resources um like we did with azure active directory earlier there are lots of different ways to get to different things within the portal at the top here i see advisor already but i could search for it if i if i don't see it i'm going to go ahead and click on it right here to open it up all right so there's some good news here and there's some not so good news it looks like i'm good on performance i've met all the recommendations for that but i have some recommendations for high availability and also some for security right off the bat i can see that i have four high impact security issues that's kind of concerning to me i also have four medium impact and one low impact and then i have three medium impact recommendations for high availability so i'm really security minded let's go ahead and click on the security tile and let's see some details on exactly what's going on with these so this gives me a list of the recommendations and i can scroll down and i can kind of look through these and see what are the different recommendations that azure advisor is giving me i might actually be the right person to address these or at least some of these but i might not be so i can click right here to download a comma separated values file of these recommendations or i can download a pdf of these recommendations and that way i can give these to somebody else who might be more appropriate to take care of them if i need to and that's pretty convenient so if i click on one of these recommendations in the list not only do i get more detail on the recommendation but if i click on remediation steps that gives me exactly what i need to do in order to address that recommendation so that also might be a good way for me to determine whether this is something that i want to do myself or maybe somebody else should be better to do this if i scroll down a little more i can also see my affected resources in this case it's my entire subscription because it's recommending that i enable multi-factor authentication on my subscription now in this particular case the remediation steps are some manual steps that i have to go through but sometimes i can automatically address a recommendation without any manual steps let's go back to the list here and the second list item here is just in time network access control should be applied on my virtual machines if i click on that it takes me to this pane here and i can actually select one of these vms and click on enable jit on one vms and that'll actually take care of that for me it'll it'll perform that task for me alternatively i could also select both of these vms and that would allow me to go ahead and enable that on both of those in one operation so this gives you a really quick way to address the concerns that azure advisor is showing you so now you have a really good idea of some of the tools that are available to you for managing your azure resources welcome to module three understand security privacy compliance and trust in this module you'll learn about azure offerings that help you secure your network you'll then learn about azure identity offerings for managing access to your azure account and you'll learn about some of the tools and features in azure that help you with security across your business we'll also talk about how azure can help you implement governance and how you can provide users access to selected portions of your azure services you'll learn about monitoring and reporting on your azure usage and you'll learn about microsoft's commitment to privacy and trust to lesson 8 understanding securing network connectivity in azure in this lesson you learn about some of the offerings in azure that can help you protect your applications from networking attacks you find out how azure firewall can keep bad guys from accessing your application you also learn about ddos protection and how network security groups can help you to enforce network security within your azure virtual networks we also talk about how you can decide on the best security solution for your specific needs security is one of the most important concerns of any application that's exposed to the internet and cloud applications are no exception to that consider this application running in azure my vm is connected to my azure virtual network and it's exposed to the internet now unless i take some steps to secure this network a bad guy could use the internet facing network to attack my vm and my app that's running on that vm this kind of attack from the outside is one of the most common attack vectors for cloud applications so to protect your virtual network from this kind of attack you can use azure firewall when you use azure firewall all traffic into your network must go through the firewall and the firewall looks at that traffic and determines whether there's a network rule that's configured on the firewall that will allow that traffic to pass if there isn't a network rule that traffic gets rejected but if there is a network rule that should allow that traffic it allows the traffic to pass through to your virtual network for example if you have a website that's running on this vm you might have a rule on the firewall that allows any traffic that's on ports 80 or 443 which are the tcp ports for unsecured and secured web traffic to pass through but any traffic on any other port would be rejected there are three different types of rules that you can configure in azure firewall network address translation rules or nat rules are used to forward traffic from the firewall to another specific device that's on the network network rules allow traffic on specific ip addresses and ports that you specify and this is the kind of rule that you would use to allow the web traffic that i was talking about earlier application rules make it possible to allow a specific application to communicate across your network and you can also use an application rule to allow a specific domain such as microsoft.com to communicate across your network azure firewall evaluates rules based on the rule priority and the priority can be between 100 and 65 000 rules that have a lower priority are processed first if traffic doesn't match any of those rules the traffic is blocked azure firewall is also a stateful firewall and this provides another layer of protection because azure firewall is able to look at the details of the network communication directly and it can identify suspicious behavior based on what traffic from that same client has looked like in the past as your firewall is billed for the hours that you use it and how much data it processes so for every hour that you have as your firewall deployed microsoft will charge you one dollar and 25 cents but you're also billed three cents for every gigabyte of data that is processed by azure firewall even traffic that your firewall allows can represent a threat against your application for example a distributed denial of service attack or a ddos attack can use what seems like normal traffic to overwhelm an application's resources and make it unavailable ddos attacks can also be used to exploit some vulnerabilities that exist within your application azure provides a service called ddos protection that can help protect you from ddos attacks and there are two tiers of ddos protection basic and standard the basic tier protects you from volume based ddos attacks by distributing large amounts of volume across a wide array of azure's infrastructure this all happens automatically as part of azure and you don't have any control over it you also don't have any reporting capability or visibility into what's happening as i said it's all automatic standard on the other hand is a paid offering and while basic applies to both ipv4 and ipv6 traffic standard applies only to ipv6 traffic the standard tier uses machine learning to profile network traffic and determine the level of the threat and you can use a single standard plan to protect multiple virtual networks and that's important because while basic ddos protection is free a standard plan will cost you two thousand nine hundred forty four dollars per month as you might imagine the standard plan is really targeted at enterprise customers who need that level of protection for their apps does this image look familiar to you because it should it's the interior application that i was using as an example back in lesson 5.2 and remember that we talked about using azure virtual networking features to control how each tier of this application can communicate with each other the specific azure networking feature that makes that possible is called network security groups or nsgs a network security group uses inbound and outbound rules to control the traffic that goes across a network there are some rules that are configured by default by azure for example rules that allow for remote access to virtual machines are applied by default however you can also configure your own rules just as with azure firewall network security group rules use a priority to control the order that they're applied in rules can use a specific ip address or an ip address range like maybe the ip address range of a subnet and rules can be associated with a subnet or with a specific network interface and there's actually a virtual network interface that's created for you when you create an azure virtual network network security groups use what's called a flow record to store the state of connections and that means that you don't have to create a corresponding outbound rule for every inbound rule that you create for example if you have a rule that allows inbound traffic on port 80 to reach your firewall the network security group will also allow outbound traffic on port 80 to flow by using a flow record however once the inbound traffic on port 80 has stopped for a few minutes that flow record will no longer apply and the network security group will start blocking that outbound traffic you can also use a service tag with a network security group and a service tag is a special identifier that applies to the internet or a specific service type within azure for example if you have some web apps in azure app service and you want to allow them to communicate with your subnet you can use the app service service tag that microsoft provides to allow for that so how do you choose which one of these azure security solutions you should use well you should use a network security group if you need to control the flow of network traffic and they're normally used for all applications if your application is exposed to the internet network security groups can help you to ensure that traffic from the internet is only allowed into specific subnets or vms even if you aren't exposing your application to the internet network security groups can enforce communication rules between the layers of your application as we've seen to provide additional security azure firewall should be used if your application exposes a public ip address it can ensure that traffic into your virtual network is tightly controlled and unlike a network security group azure firewall provides a stateful solution that actually understands the makeup of a network connection and it can identify an attack that might be attempted on the network ddos protection is an effective way to protect your network from attacks that are designed to impact applications using a large volume of traffic that looks legitimate and by the way you can add another layer of protection by using application gateway along with ddos protection standard tier to protect against additional security threats welcome to lesson 9 explore core azure identity services this lesson describes azure active directory and how you can use it to allow other users to access your services you even find out about using azure active directory to control access to services outside of azure such as your company's social media accounts this lesson also covers multi-factor authentication how it can add an additional layer of security and how you can configure it for users azure provides several identity services that help to keep your application secure but what exactly is identity identity is comprised of two different concepts the first is authentication and this is the process that positively confirms who you are or your identity and authentication can occur by the use of a password or some kind of biometric component such as a fingerprint or maybe analysis of your facial features and as you'll see in lesson 9.2 authentication can also be accomplished by multiple factors authorization happens after authentication and it's the process of verifying that you should be allowed to perform the action that you're trying to take for example you might be authenticated to an application but you might not be allowed to delete specific resources the application needs if you try to delete one of those resources your authorization will fail in azure the primary identity service is called azure active directory if you're a power user of windows you might be familiar with windows active directory but it's important to realize that azure active directory is not a cloud-based version of windows active directory it's something entirely different azure active directory is a cloud-based identity service for authentication and authorization of azure resources and applications and one of the core components of azure active directory is a directory of users who have some level of access to your azure resources so let's have a look at azure active directory in the azure portal so i'm here in the azure portal and i'm just going to click right here on azure active directory to open my active directory and if i click here on users i can see all of the users that are members of my azure active directory and if i click on one of these users i can see when that user is signed in i can see information on that user's identity and if i scroll down i have other information as well in this case i don't have information filled in for contact info but if i did i'd have all that information here as well now this user as it so happens is my user account as an admin of this subscription and it's a microsoft account but you can also have guest users in azure active directory so if i go back here to the all users screen i can create a new user here which actually would be either an azure active directory user or microsoft account but if i have someone who maybe exists in a different company and i want them to have some level of access to my azure resources i can use the guest user option and then i can either create a user and give their user id or i can invite a user from a different organization as a guest user and then they can actually collaborate with me with my azure resources now one important concept of this is the concept of roles and if i go into roles and administrators i can see the roles that are available within my azure active directory so i see that i have application administrator i see a description of that role and so when i create users i can assign them to a specific role and that controls what level of access they have to my azure active directory so for example if i go back into users and i look at my user account and then i click on assign roles i can see which roles have been applied to this particular user azure active directory can help to make your azure resources much more secure with multi-factor authentication most people authenticate using something they know such as a username and a password if you only have to use a username and password to authenticate you're using single factor authentication and if you think about it single factor authentication isn't all that secure if someone happens to get your password they can log into your accounts so for that reason it's a good idea to use multiple authentication factors another factor might be something you have such as a mobile device if you add this second authentication factor to log in you need to provide a username and password and then possibly provide a code that's sent to your mobile device if you successfully enter that code you're authenticated this ensures that not only you know the username and password but you also have a device in your possession that you're expected to have a third authentication factor might be a biometric factor such as a fingerprint or facial recognition and this is commonly referred to as something you are azure multi-factor authentication is two-factor authentication so by enabling it you're requiring users logging into your azure active directory to have a username and a password and one other authentication factor azure multi-factor authentication is only available in azure active directory premium plans to enable it you access the all users portal screen but the feature can also be enabled per user you can also configure multi-factor authentication for guest users that you've added to your azure active directory security is critical in today's world and securing resources in the cloud is no exception to that in lesson 10 describe security tools and features of azure you learn about how azure can help you secure your services first you learn about azure security center and how it not only helps you with threat protection and security but also how it can help you comply with regulatory standards next we'll talk about azure key vault a service that makes it easy to protect sensitive or secret information we then cover azure information protection an azure service that integrates with microsoft office to help keep documents and email secure we finished the lesson with a discussion of azure advanced threat protection a service that works on premises to help keep your systems that access your cloud services secure azure security center is a service that offers a single portal for monitoring and managing the security of your azure resources you can also add on-premises resources to azure security center if you install the security center agent on premises security center offers two tiers of service the free tier offers the service for azure virtual machines and azure app service the standard tier adds sql databases mysql databases postgresql and blob storage so let's head on over to azure security center and have a look at how it works so we're back in the azure portal here this should look familiar to you by now and security center is one of our azure services by the way if you don't have it listed here in your list of services you can click more services and search for it and if i open the security center i get an overview here of the policy and compliance for my particular subscription and i can also scroll down and look at the resource security hygiene for the different resources that i have if i'm interested in drilling into this i can hover over one of these and click on it and that'll take me to that resource and it'll show me an overview and it'll also give me some details on things that i need to do to improve my security score for that another really important feature of azure security center is regulatory compliance so if i click on regulatory compliance here on the left i can see my compliance with different regulatory standards and if i scroll down i can see details of each one of those standards as it relates to different areas of compliance and so i can go in here and expand this and i can drill in as far as i need to to see where i need to take some action on my compliance and just as you can with a lot of other similar features in azure you can download a report of this if you'd like to provide this information to other people who might be better suited to resolve some of these things now if i want an all-in-one view of the security recommendations i can click recommendations right here and that provides a similar view that we were looking at earlier and here i can also download a comma separated values report that shows what all of these recommendations are and then i can provide those to the correct person to take care of those and notice as i scroll down i get a nice indicator here that shows me not only what the recommendations are and how many failed resources i have for that recommendation but i also have the severity level and i also can see here how much my security score will increase if i address each one of these things and notice as we've talked about before some of these things can be fixed with a quick fix so for example if i click here which says quick fix this is something that azure security center can actually resolve for me automatically if i go to remediation steps i can just click right here to remediate this with a single click it's pretty common for an application to use sensitive information for example you might connect to a database and your application might need access to a username and a password for that database now one option for that kind of thing is to just store the connection string for that database in a configuration file but doing that could be insecure azure key vault is a solution for storing secrets keys and certificates that an azure resource might need to use once you store something in key vault you can then apply security policies that define which users and applications can access it key vault is encrypted using encryption keys but microsoft has no visibility of those encryption keys or the data that you store in key vault now there are two pricing tiers for key vault standard tier and premium tier in premium tier access keys are stored in hardware security modules or hsms and an hsm is a separate piece of hardware that's specifically designed for securely storing encrypted content because the federal information processing standard or fips 140-2 requires an hsm boundary for encrypted data the premium tier is required for all fips 140-2 compliance important and sensitive information isn't always fully within your control you might send an email or maybe share a document that contains sensitive information that you want to maintain control over and for those types of situations you can use azure information protection to ensure that information is safe and secure azure information protection is designed to protect emails and office documents emails and documents are classified as public confidential highly confidential and so forth and then protection is applied appropriately in this screenshot i'm sending an email that contains some sensitive information by clicking the protect button shown here in outlook i can classify this email as confidential and i can then specify who that classification applies to i have the same options available to me in other office products as well as you've seen if an attack on your resources is happening within azure microsoft has services that can help to protect you but what if an attack is actually happening on your on-premises machines or maybe on a mobile device that's used to access other resources these kinds of attacks are actually more common because it's more likely that these devices aren't as hardened and it's also common for users to connect to insecure networks with mobile devices and that can be a point of security concern if those mobile devices are then used to access azure resources to address these concerns microsoft offers azure advanced threat protection or atp atp is part of the enterprise mobility plus security 5 suite from microsoft but you can also purchase it as a standalone service deployment of atp happens on premises and it's a multi-part process first you determine your capacity atp uses sensors that are installed on premises and you need to determine how many sensors you need in your environment when you purchase atp you'll get access to guidance on exactly how you can plan your capacity next you create an instance of atp in the cloud using the atp portal and then sensors that you install on premises will connect to this atp instance so that they can store data and do threat analysis next you connect your atp instance in the cloud to windows active directory on premises and this allows atp to access information about your environment and about your users and finally you download install and configure your atp sensors after you do that atp uses analytics and machine learning to identify what's normal and what's not normal within your environment and it does all of that in real time so if an attack occurs atp provides tools for investigating the nature of that attack and also helps you with what actions you should take as your cloud footprint grows keeping control over costs and management of your cloud resources can be a real challenge in lesson 11 learn azure governance methodologies you learn about tools in azure that can help first you learn about how azure policy can help by defining rules that are applied when azure resources are created and managed next you find out how role-based access control gives you full control over the level of access other users have to your azure resources then we talk about azure locks a feature that can prevent changes to an azure resource or keep it from being unintentionally deleted finally we talk about azure advisor and how it helps you to maintain best practices across all your azure services in addition to security concerns you're likely going to encounter governance concerns with cloud applications for example your company might have a policy that specifies that no virtual machine should be created within a particular region because that region doesn't offer some required features that you have azure policy is a tool that can help you to enforce policies like this azure policy uses policies to define rules that apply to azure resource creation and management so let's have a look at azure policy in the azure portal so here's azure policy in the portal now the first thing you might want to do is check out the getting started page right here this is where you can access information on viewing definitions and assigning policies and checking out compliance of your policies and even creating your own custom policies you can also see some recommended policy assignments here that you can apply just by clicking on them now if i want to see all of the policy definitions that are in effect for me i can click on definitions right here and i see that there are many different built-in policies that are currently in in effect for me if i want to create my own policy i can click right here on policy definition and now i can define my own policy and one of the interesting aspects of policies is this property right here called effect in this sample rule you can see that the effect is audit and that means that if this policy is not complied with a warning will be logged so that i'll be aware of it however there are actually five other effects that you can specify in a policy the append effect adds additional properties to a resource and this can be used to do things like automatically add a tag with a specific value to resources when they get created the audit if not exists effect allows me to specify a resource type that must exist along with the resource that's being created and if that resource type does not exist a warning gets logged the deny effect denies the create or update operation and the deploy if not exists is similar to the audit if not exist effect but instead of just logging a warning it will automatically deploy the required resource type and finally the disabled effect means that the policy is not in effect so once i've created a policy i can assign that policy by going right here to assignments and then i can click here on assign policy and assign that policy to my subscription or to another scope now if i click here on scope i can see that subscription is my option for scope i can also assign this to a particular resource group so i'm going to go ahead and click on select right here to apply this to my subscription and the next thing you can do is assign exclusions those are specific resources that are exempt then you point to your policy definition that you've created right here you give it a name of your choice you give it a subscription of your choice and then you choose whether or not it's either enabled or disabled after you do that you can click review and create and that assigns your policy azure role-based access controller are back authorizes users to perform certain actions against an azure resource based on a role that that user is assigned to there are four elements related to rbac a security principle represents an identity it can be a user a group an application or it can be a special entity in azure active directory called a managed identity the second element is a role and this defines how the security principle can interact with an azure resource next is a scope and this defines the level at which the role is applied for example if the scope is a resource group the role defines activities that can be performed on all matching resources within the resource group next are role assignments and this is simply the process of assigning a role to a security principle now there are many built-in roles in our back and the three most common are owner which is a role that gives a security principle full access to the resource contributor which is a role that specifies that the security principle has access to create and manage resources but not give any rbac permissions to another security principle and reader which is a role that allows azure resources to be seen but not created deleted or managed so let's look at our back in the azure portal this is my az900 resource group in the azure portal now to access our back for this resource group i just click on access control iam right here in the menu and from here i can check someone's access i can enter a name or an email address here of someone that's in my azure active directory but if i click on this drop down i can also choose a managed identity remember i mentioned that earlier and so you can see here that managed identities here are actually the names of different azure services so if i enter a name here as i type this azure is looking through my azure active directory and it shows me names that match what i've typed so far so if i click on this user i can see right here that christine has not been given access to this resource group at all so let's give her contributor access so that she can create manage resources in this resource group so i'm just going to close this right here and then i'm going to click on role assignments and now i'm going to click on add and i'm going to add a role assignment if i add a co-administrator that actually adds a co-administrator for my subscription so i just want to click on add role assignment right here and i'm going to select the role and remember we were going to give her a contributor and i'm going to simply select her name here i could if i didn't see her name i could search for it here but she's right here so i'll go ahead and select her now that adds her as one of the people that i'm giving contributor access i can actually go through and give other people that same level of access in one operation in this case i just want to give it to christine so i'm just going to go ahead and click save and now christine has the contributor access to az 900 resource group she can create and manage resources in that resource group now there's one important concept you need to understand here and that is our back rules are additive in other words now that christine has contributor access to my resource group she can create and manage resources in that resource group but if i open a web app that's already in that resource group and i give christine say reader access to that web app she's still going to have contributor access on that web app because she has a higher level of access at a higher level within my subscription which is the resource group itself okay so what if i have an azure resource that i don't want to allow any changes to by anyone maybe it's a resource that i want to ensure doesn't get accidentally changed or deleted we'll look at how you can achieve that kind of control next locks prevent changes or deleting of azure resources and unlike rbac locks apply to all users no matter what level of access they have to that resource so let's look at a quick example of using locks so here's one of my vms in the azure portal let's go ahead and add a lock to this so it can't be deleted so i'm going to go down in the menu here and i'm underneath the settings area i'm going to choose locks are no locks currently assigned to this so i'm going to go ahead and click add i'm going to give this lock a name which is no delete because i want to create a lock that keeps people from deleting this and then i choose the lock type now notice there are a couple of different lock types there's read only which means that you can look at this resource but you can't change anything you can't change the configuration and by the way you also can't delete it or there's a delete lock which means you can change the configuration of this all you want to but if you try to delete it it's not going to allow you to do that so let's make this a delete lock i can add some notes if i want to don't really need to do that so i'm going to say okay and now there is a lock on this vm so let's go back to the home screen and i'm going to go back into that vm and what i want to do now is i want to delete this virtual machine so i'll click on delete right here and it warns me this is actually going to to delete it i'll say yes and notice it didn't work and the reason for that is because there's a lock on this vm and that prevents me from deleting it so if i wanted to remove that lock so i can delete it i can go down here to locks again and i'll scroll over here a little bit this is the no delete lock that i created so if i click on delete right here i can delete that lock and now i would be able to delete that vm as we've already seen azure advisor is a best practice analyzer for azure resources and that helps ensure high availability performance and the security of your azure resources now what you might not realize is that azure advisor integrates with azure security center to provide better governance of security concerns so let's flip back over to the azure advisor and have a look at that so here's azure advisor again in the azure portal and notice that i do have some security concerns right here and if i click on that i can see what those security concerns are but i also have the ability here to see those in azure security center and i also have the ability to click here and look at additional security center recommendations that might be available for me and this kind of integration of tools makes it easy to ensure that i'm following all of the proper governance to make sure that my azure resources are as secure as possible welcome to lesson 12 understand monitoring and reporting options in azure in this lesson you find out about azure monitor and how to keep track of metrics for all of your address services in a single interface you also find out how to create alerts that can notify the right people when there might be a concern with your applications if something does go wrong with your azure services you'll need to know if it's a problem with your application or with azure itself so we talk about how you can use azure service health to keep an eye on the health of azure itself being able to monitor your azure resources is important especially so you can understand the health of your resources and whether there's a problem azure monitor makes it easy to monitor your azure resources because it aggregates all your metrics in a single place and you can configure alerts that will keep the right people informed of any issues so let's head on over to the azure portal and have a look at azure monitor so here's azure monitor in the portal and as is commonplace with a lot of these azure services there is a getting started view where you can get an overview of how the feature works and kind of explore through things there's also tutorials and demos that will give you a lot of information about how to best use azure monitor for this demo i'm going to click on metrics right here and we're going to look at some metrics from some of my azure resources now as you can see right here i don't have anything defined in this particular chart and so what i'm going to do is click on select scope right here and that will allow me to select something that i want to monitor and in this case in my az 900 resource group i am going to look at this web app called learn az 900 so that's going to be the scope for my metric right here and these metrics that are listed here are specific to a web app because the scope that i've selected is a web app if you select something other than web apps you'll have other types of metrics that you can look at so in this particular case let's just have a look at cpu time and we can see that we have data automatically populated here immediately this is a line chart which kind of makes sense for cpu data but i can select this right here and look at this differently like for example as a bar chart and the interesting thing about azure monitor is i can add additional metrics to this and look at those within the same graph so if i click on add metric i get the same dialog that i had before and now i can select something for example like http server errors and i can see that there are none of those so i say well that's not useful to me so what i'd like to do is just get rid of that and add something different now one thing that's interesting to note here is that you can certainly add for example data in and that's going to show me that metric here but cpu time is in seconds as you can see here and data n is in kilobytes so those two don't really sync with each other to look at those in the same view just doesn't make a lot of sense so let's leave data in right there but over here for cpu time let's change that to data out so that we're looking at metrics that are in the same measure so now we have two different metrics both of which are in kilobytes and i can see both of those within the same graph now we have quite a lot more data out than we do data in and so the data in metric is very low down in this view but if i hover over one of these you can see that it highlights only that metric and so this gives me the ability to clearly see both of those metrics in one view and i can also change this maybe to an area chart which will give me a different view let's uh get rid of this data in oh i should have gotten rid of data out that was the one that had let's switch that there we go so this is an area chart which is basically the same as a line chart but you get the areas filled in also you can do a scatter chart or a grid a grid is useful if you want to see those values kind of in a table format also note that you can choose the time frame so this is local time aggregated over the last 24 hours if i click that i can change that so that it gives me the range that i'm looking for and i can even use a custom range now another interesting feature that's available in monitor is the ability to set alert rules so if you're looking at something like cpu for example i'll switch this back over to cpu real quick i can actually see that since the last time i looked at this i had a little bit of a cpu spike here but let's say that i want to make sure that if my cpu spikes up the right people get informed about that so i'm going to go ahead and click on new alert rule [Music] my resource is already selected for me here because i was looking at a metric for the learn az 900 app if i wanted to choose a different resource i could click re select right here and now i need to define the condition for my rule now by default i've got whenever the cpu time is and then i need to apply some logic that's because i was looking at the cpu metric when i went into the create rule dialog so i just need to define the logic for that now the first thing that i see here is a historical view of where cpu has normally been trending in my application and this is just to give me kind of a ballpark figure or a baseline of where cpu usually is i did have this little spike here just a little bit earlier but other than that you can see my cpu has been trending really low so let's say that i really would like to be notified if my cpu time goes above this is 10 seconds right here so let's say 20 seconds so i'm going to scroll down here and first thing i need to do because this is specific to an app service is i need to select the instance this is a vm that's running that web app and i'm just going to select this one right here actually i only have one instance in my web app so i only have one vm and now i'm going to say if the total cpu is greater than and i said i wanted this to be 20 seconds so if it's greater than 20 seconds that's twice the amount that it spiked right here and then i can have a a granularity period here so i can say if aggregated over a five minute period that threshold is 20 seconds and it's going to check that every minute that allows me to make sure that my rule doesn't get triggered if there's just a little blip of activity like there was right here so now that i've set that up i'm going to go ahead and click done so now i need to specify the action group and that is telling the rule what to do when this rule gets triggered and actually i already have an action group if i select this i've got this email people action group right here which i can select but if i want to have a new action group just so i can show you kind of some of the options that are available here i'm going to say this is send text to admin and this is just going to be called sms as a short name my subscription is already correct this resource group is already existing this is actually a resource group that was automatically created the first time i created an action group i'm just going to use that one is fine and then i need to specify an action group name right here this is going to be sms text and then i can select an action type and i'm going to select email sms push and voice and i can specify now an sms number and i can send that to one two 555-555-1211 two actually not a valid phone number so let's just say [Music] two one four five five five one two one two all right so now i've got my phone number configured and i can just say okay right here and that is going to configure that so i'm going to say okay and now i have a new action group that's being created real quick here and once that's created it is added to that rule and so now that sends text to an admin when that happens and i can also by the way select the other action group that i had which is email people and now it'll do both of these things it'll send an sms message and it'll also email the people that i've configured in that action group so now that i've done all of this i can actually go in here to alert details i can specify some uh specific information here that gets sent to these people so i can say cpu was above 20 seconds check it out i can define a severity so if i want to say this is kind of a sev1 severity and now that that's done i just simply click on create alert rule and that'll create that alert rule for me so it's as easy as that to not only monitor your resources using azure monitor but also to create some really complex rules that allow you to make sure that you or someone else gets notified or other actions are taken when your metrics fall outside of the norm not all issues with your application are going to be limited to just your resources they're going to be times when a problem within azure itself might impact you microsoft offers a tool called service health that makes it easy to keep up to date on issues in azure that might be impacting your resources so here's service health in the azure portal notice that not only can i see service issues but i can also see planned maintenance events right here and i can also see health advisory so if there's a current service issue that might be impacting my resources i can click on that event to see details and i would see that here under service issues here's an example of service event details and notice that i not only get details on what's going on but also get a link to the details of this event in case someone else in my organization needs to keep updated and if i want to keep track of this issue on my mobile device i can just scan this qr code and i can do that easily privacy is always a concern in the cloud and in lesson 13 understand privacy compliance and data protection standards in azure you learn all about microsoft's commitment to privacy and trust we start by talking about the microsoft privacy statement you then learn about trust center and the service trust portal websites that help you learn about microsoft's approach to security and compliance along with tools like compliance manager that help you to ensure regulatory compliance we also cover microsoft's approach to security and compliance with governments and with countries that have unique regulations customer trust is one of microsoft's core guiding principles and keeping you informed about the information they collect and how they use it is also important and that's why microsoft publishes a privacy statement that provides you with the personal data that microsoft collects and how they use it the privacy statement also outlines reasons why microsoft might share personal data such as when you conduct a transaction with microsoft or if they're required to share data by law you're also notified about how to access the data that microsoft has collected and how you can control it including the ability to opt out of internet-based targeted advertising microsoft also includes information about how they use cookies on their websites and they detail the data that's shared with third parties when you use your microsoft account for authentication and finally the privacy statement details how microsoft secures data where they process that data and the policies that define how long the data gets retained you can access the microsoft privacy statement by browsing to aka dot ms slash privacy statement the microsoft privacy statement is all about transparency and how microsoft deals with your data but microsoft also wants to be fully transparent in how they deal with security privacy and compliance all information related to these core tenants is shared in the trust center which is a web portal that details microsoft's commitment to trust here's the trust center if i scroll down you can see links on how microsoft deals with security privacy and compliance and you can also see if i scroll down a little further here you can see links to blogs that microsoft maintains and some offerings that help you to maintain compliance information on law enforcement data requests that microsoft has received and a report on u.s national security orders you scroll down a little more and you can see some events that microsoft holds for its customers that are related to security and compliance this kind of transparency can really help you to have confidence in the security of the data that you store in azure and it's a really clear indicator of how serious microsoft is about earning and keeping the trust of its customers if you want more technical depth related to trust security and compliance you'll find that in the service trust portal while the trust center is mainly informational the service trust portal provides you with compliance tools and privacy tools to build confidence in compliance and privacy of your cloud applications here's the service trust portal and you can see here that microsoft has provided detailed reports on compliance with data protection standards for its cloud services scroll down a little further and we have links to the compliance manager which you'll learn about in lesson 13.3 you also have links to penetration tests and security assessments from third parties you have white papers and compliance guides and much more and as you continue to scroll through the service trust portal you'll see much more information to help you build and maintain your confidence in the security and compliance of cloud solutions that are in azure information is power and microsoft wants to ensure that you're armed with the information that you need to build that trust now one of the core tools for this is compliance manager so let's have a look at how it can help you to maintain compliance with industry standards compliance manager makes it easy to view and manage compliance with industry standards you can also easily determine whether you are responsible or whether microsoft is responsible for different compliance areas the launching point for compliance manager as we saw earlier is the service trust portal in this screenshot from compliance manager you can see our compliance score from various industry standards and if i click on one of these tiles you can see both microsoft managed controls which are compliance tasks that microsoft is responsible for and customer managed controls that are my responsibility now here i've expanded the customer managed controls and if i click on one of these i can manage the compliance of this standard i can see exactly what i need to do and i can assign a user to take care of this and i can do a lot more once i've successfully met compliance on this and marked it as succeeded that will reflect in my compliance score for this standard and that makes it really easy to not only know what you need to do for compliance but also track your progress towards compliance so you can ensure you're doing everything that's necessary complying with standards is important and it's critical to microsoft's customers however some customers work under standards that are even more stringent than those that are detailed in compliance manager for example customers who work in government positions have stringent requirements that require a different approach to compliance and for that reason microsoft created an entirely separate cloud environment called azure government azure government ensures that u.s governmental requirements are met azure government is only accessible by screened microsoft employees who are united states citizens and even microsoft employees who provide technical support to customers using azure government must be us citizens azure government uses data centers and express route locations that are completely isolated from the public cloud and this provides a completely isolated network environment which ensures security of network data azure government isn't just available for united states government customers it's also available for city and municipal governments and there's a process by which those folks get onboarded to azure government securely because azure government is completely separate from the public cloud you actually access the portal for azure government using a different address it's portal.azure.us instead of portal.azure.com now of course you would have to be onboarded to azure government and approved for use of azure government in order to access that and one final but important point because the department of defense has a very specific requirement for data storage and compliance there's a subset of data centers in azure government that are compliant with dod impact level 5 provisional authorization similar to azure government microsoft also operates a separate cloud called azure germany and azure germany is designed to meet the requirements mandated by the european union azure germany is available for eu customers customers who are members of the european free trade association and also uk customers data centers in azure germany are physically located in germany and they're operated under strict security measures enforced by a company called t systems international which is a subsidiary of deutsche telecom a data trustee has full control over all of the data that's stored in azure germany and microsoft is only involved in managing systems with no access to customer data welcome to module 4 understand azure pricing and support in this module you'll learn all about azure subscriptions and the tools available for managing them you'll learn about how you can effectively plan your cloud implementation in order to control costs and you'll find out about some great tools that azure provides for cost visibility and control we'll talk about the support options available to you when you need technical assistance and i'll show you how you can open a support ticket you'll learn about all the service level agreements and how you can find out about what microsoft promises related to azure services and their availability finally you learn about the service life cycle in azure and how you can access cool new features before microsoft releases them for production use so let's get started welcome to lesson 14 understand azure subscriptions in this lesson you find out about an azure subscription and how you can manage it you see how you can monitor costs and you even learn how you can create a new azure subscription in case you want to separate resources into multiple subscriptions your azure subscription is the highest level azure resource every other azure resource you create is created inside your azure subscription each azure subscription has a unique subscription id that identifies it each subscription also has limits or quotas that are associated with it for example you can have up to 200 azure storage accounts per region in a subscription up to 25 000 virtual machines per region and so on so let's look at my azure subscription in the azure portal so here's my azure subscription in the azure portal here's my subscription id which is my unique identifier for my subscription and here in the overview blade which is what opens by default i scroll down here you can see that i have a breakdown of all of my costs by resource so this allows me to keep a really good view on how much i'm spending i can scroll down and i can see spending rate and forecast as well also here within the subscription blade i can click on invoices and that allows me to see all of the different invoices that i've gotten from azure and i can download each invoice if i'd like to in order to get all of the details of that invoice i can also choose to email an invoice to someone else if that person needs to look at that an azure subscription is created for you when you first sign up for azure but you can also create additional subscriptions and this is useful in cases where you want to separate expenses remember your azure invoice for expenses is tied to an azure subscription and it's also a way for you to work around subscription quotas since they are applied per subscription as well so there are several different types of subscriptions in azure a free trial subscription provides free access to azure resources for a limited time and you can only create one free trial subscription per account if you've previously had a free trial that's expired you can't create a new one under the same account a pay-as-you-go subscription is one where you pay for azure resources as you use them you don't pay any cost up front and you can cancel the subscription at any time a pay-as-you-go deaf test subscription is a special subscription type for subscribers to microsoft visual studio and this subscription is for development and testing only and it offers discounted rates on vms now there are other subscription types that may be available to you depending on what type of azure account you have for example enterprise customers have additional options available to them so let's go over to the azure portal and let's look at how you can create a new azure subscription so here in the azure portal i'm going to click on subscriptions that will allow me to see the different subscriptions that i have and i have actually two right now one of them is is active and the other one is uh disabled if i want to create a new subscription i just click add right here and then i can choose the subscription type that i want i have pay as you go and pay as you go def test i don't have free trial because i had a free trial subscription a long time ago that since expired and so that's no longer available to me there are also some other options down here for support plans and we'll look at those when we get to lesson 16. okay so i'm going to choose pay as you go as my subscription type and then that's going to take me to the sign up page and here i can enter in my phone number this is a that i can be verified by phone i can enter my payment information for my subscription if i want to i can add a technical support plan and read the azure support agreement and once i've done all of those things i can go ahead and create this subscription and it will be available for me inside of the azure portal and at that point when i create resources i can choose which subscription i want to create those under before you ever move to the cloud you'll want to get a clear understanding of how much you'll need to spend on cloud resources doing so requires planning in lesson 15 learn planning and management of costs you learn about techniques and tools that you can use to plan and manage costs you learn about the different ways that you can purchase azure services and you learn about the azure free account and what it offers you find out what can affect your costs in azure and we talk about billing zones and how understanding where your azure resources are actually located can help with costs you also learn about tools such as the pricing calculator and the total cost of ownership calculator and how to use them to calculate costs in advance finally we talk about best practices for minimizing costs and i show you azure cost management a tool that makes it easy to analyze your costs there are a couple of different ways that you can purchase azure products and services you can purchase directly from microsoft which is what you've seen in the examples i've shown in this video and when you purchase from microsoft resources are created on demand as you need them and you decide which specific resources you create microsoft will then invoice you for those resources each month and if you need support for any of your azure resources that support is provided by microsoft using a support plan that you purchase from microsoft for enterprise customers enterprise agreements are available and when you sign up for an enterprise agreement you contract a yearly financial commitment with microsoft for your azure usage and you pay for that usage even if you use less than you anticipated if you use more than that commitment microsoft will charge you for the additional usage at whatever rate you and microsoft agree to in advance you can also purchase azure products and services from a third party known as a microsoft cloud solution partner or a csp and when you purchase from a csp you purchase an entire cloud solution that's developed by that csp when you need to deploy your application you work with the csp to manage that deployment and the csp provides you with details on your resource usage and you pay the csp for that usage if you need support for your azure products and services the csp provides that support not microsoft if you're new to azure you might need a little time to familiarize yourself with the services offered and how everything works and for that reason microsoft created the azure free account azure free account is available to new azure customers only and when you sign up for azure free account you're provided with 12 months of free access to some popular azure services and many azure services will provide additional free usage even beyond that 12 month period you're also provided with 200 in credit that you can use over a 30-day period for any azure services that you choose and microsoft doesn't limit you to testing for these resources in fact you can use your resources for production use if you want to but you have to keep in mind that after the 30 day period any services that don't fall under the quote free for 12 months portion of the azure free account will be automatically deleted so you want to make sure you upgrade your subscription prior to that if necessary for more information on the azure free account including a complete list of products that are in the free account and also how long they're available at no cost head on over to azure.microsoft.com free slash free dash account dash faq there are several factors that can impact your costs in azure and you should be aware of these as you plan your azure deployments each azure service is built according to meters that are assigned to that resource and meters track how much of a specific metric has been used for the resource so for example consider an azure virtual network you're not charged for the network itself and you're not charged for network traffic that flows within that network instead you're charged per gigabyte for network traffic that flows into the network and out of the network now each azure resource type has a pricing page that details how the resources billed and that includes information on the meters that are used you can also reduce costs in some situations by planning how you purchase resources for example if you know that you're going to need a large number of resources for a long period of time you can likely save considerably by purchasing an enterprise agreement with microsoft and then you commit to a longer term investment and longer term agreements provide even more cost savings you might also be able to save money by purchasing something that's pre-built a pre-built solution from a microsoft cloud solution partner it's also important to know that some azure regions cost more than others microsoft's cost for operating azure services differs by regions and that means your price is going to differ as well for example if you have a vm deployed to the east u.s region it's going to cost less than the same vm deployed to the central us region you have to realize though that simply choosing the cheapest region isn't always going to translate into the lowest cost if you have other azure resources that are in other regions and you need to communicate with them the cost of network traffic across regions might offset any savings that you have another important consideration for costs in azure is billing zones azure geographies are broken out into four separate groups for billing purposes and these groups are called billing zones actually they're more commonly referred to as simply zones microsoft's cost for network traffic in each zone differs so that means your costs will also differ by zone inside of zone one is the united states europe canada uk and france geographies there's also a de zone one that which includes germany zone 2 is asia pacific japan australia india and korea geographies and zone 3 is the brazil geography so as we've seen there are many factors that can impact your azure cost and it can be pretty hard to try and predict your costs in advance and that's why microsoft created the pricing calculator the pricing calculator can provide you with an estimate of your azure expenses and it bases that estimate on the type of product you choose but it also factors in where that product is deployed because as you've seen costs differ depending on region and zone and it also accounts for other factors that can impact your costs you can access the pricing calculator by browsing to aka dot ms slash azure pricing so let's head over there and let's have a look at the pricing calculator so this is the pricing calculator in my browser and by default on this screen we have a list of of products that i can add to an estimate but i can also click on the example scenarios tab and i can get a list of different scenarios that might reflect what i want to do in azure and get an estimate on those which includes numerous different products in this example i'm going to just choose products and for this demo i'm just going to use virtual machines to kind of show you how the calculator works so to add virtual machines to my estimate i just click on it and you'll notice that will tell me virtual machines have been added now to see my estimate i need to scroll down to right here now this is the estimate that i have for virtual machines and this is the default setting for that estimate so i can see here that my estimate total is 152.60 but let's say that i don't want to deploy this to west u.s i'm actually going to deploy this to the east u.s so i'll select east u.s as my region and notice that automatically my price has dropped now to 137.29 i can also choose a different operating system so i'll choose linux and notice here my price has dropped again and that's because now i don't have to pay for windows licensing and so every time that you make changes in the calculator it's going to update your estimate based on that so i can go down and i can choose what type of instance i want and notice there are a very large number of instance types if i have the need only for one cpu and 28 gigabytes of ram and 56 gigabytes of temporary storage i can select that and that's going to also update my estimate total so now i have a larger estimate because i am actually using a more powerful machine i can also choose my billing option so if i see pay as you go is going to give me 270.83 but if i choose one of these agreements and i commit to a longer term pricing i can get quite substantial savings also i have the ability to choose manage disks i can actually change my tier here i can change my disk size i can change the number of disks etc and i can change my storage transactions as well i can choose whether or not i want to include a support plan and whether i want to choose any other programs and offers and then what i can do is choose purchase options to see how i can purchase that particular estimate now i can also save this estimate and i can export this estimate to excel or i can share it with someone if i save it if i scroll back up here to the top you'll see i have the ability to click saved estimate so if i save my estimate i can go back to it at a later time that allows me to maybe tweak it a little more later or if i want to save that and export it later on i can do that as well the pricing calculator is a good way to estimate your azure expenses but if you want to estimate how much money azure could save you versus your on-premises deployments the total cost of ownership calculator or the tco calculator is the right tool for the job the tco calculator provides an estimate of cost savings that you could realize by moving on-premises applications to the cloud and data in the tco calculator is based on expense information for on-premises resources that microsoft has accumulated over many years of experience tco calculator includes detailed charts on expense savings over a long period of time by moving to azure and you can access the tco calculator by browsing to aka dot ms slash azure tco so let's go have a look at the tco calculator so here is the tco calculator in the browser and the very first thing you have to do is you have to define your workloads now this means you have to tell the tco calculator what your on-premises application needs so if i click on add server workload here i can adjust this based on what my particular application uses so let's say that it uses a windows physical server using windows i'm going to say one server let's say that i have two props in my servers and each of those are two core procs and i have let's say maybe 16 gigabytes of ram in each one of those and all of that looks good now if i click here to add windows server 2008 2008 r2 that's also going to adjust my particular details on my workload okay so now i've got this workload i've called this workload one so that's fine i'm going to go down here now and add a database and i'm going to accept all the defaults for this i'm going to say it's a micro microsoft sql server database and that's fine um storage i can add networking so all those are all of the different uh workloads that i can add now let's say that i have multiple servers so let's say that this particular server is actually my application server let's say that i might also have another server that's like a business logic server or something like that i can click add server workload here and add an additional server okay so this is our application database now i'm gonna add some storage here and this is where i add my disk drives so i'm gonna say a one terabyte disk drive that's totally fine this is our hard disk storage and my network bandwidth one gigabyte that's totally fine so i'm going to go ahead and click next and now i can adjust my assumptions now these are the assumptions that as i said earlier are based off of years of data that microsoft has accumulated and so what it's going to do is assume some things based off of what i have given it and i can scroll down here and i can see all of the different assumptions that microsoft has made and that includes electricity costs that include storage costs i.t labor costs and any other assumptions as long as i'm satisfied with what's here i can go ahead and click next or i can adjust them i'm just going to go ahead and click next that's fine and now i can view a report that will show me how much i can save so i can see here over five years with microsoft azure my estimated cost savings could be as much as a hundred and eighty six thousand four hundred twenty three dollars so that seems like something that i might definitely want to consider moving to the cloud also down here notice i have this graph which shows me my cost over that five year period on premises versus in the cloud i also have some other pie charts down here that actually show me some of my expense data broken out into different categories and then i can also see additional breakdown as well so this is a very detailed analysis of how much i would pay for this application on premises versus how much i would pay on azure so when i get down to the bottom here i have the ability to download this report share this report or save it with someone but let's say that i look at that and i say i'm sold i definitely want to get this up and running and in fact i'm saving so much money i want to do this immediately i can create a free azure account right here and start experimenting with that or i can click this button and have microsoft contact me for some discussions about how i might want to purchase an enterprise agreement or other ways that i can save additional costs as i look at implementing this solution within azure let's talk about some of the best practices for minimizing your costs in azure first and foremost minimizing cost starts with careful planning before you create your first azure resource and you need to make sure that you include all of the necessary key players in your planning including finance folks and managers and application designers all the people who are going to be very aware of the requirements for that application it's also critical that you purchase only what you need in azure as you're analyzing your on-premises applications that you're moving to the cloud make sure that any resources that you're currently using on premises are really necessary for that application if they're not don't spend money on them in the cloud fully utilizing your cloud resources is also really important if you're paying for a powerful vm in the cloud you want to make sure that you're fully utilizing the power in that vm if you don't need a ton of power make sure you scale appropriately and remember azure can scale automatically if you want it to as you're creating your azure resources make sure you tag resources so that you can easily identify them in your azure invoice using tags you can provide cost information to specific departments in your organization so that they can ensure that they're being cost efficient as you're planning your purchases choose carefully i mean you need to look at things like could you save some money with an enterprise agreement or maybe you could save by using a pre-defined solution developed by a cloud solution provider if so choose that option and make use of the pricing calculator in the tco calculator to plan your expenses and as you use your azure resources monitor them carefully and that way you can adjust your usage and you can scale as needed and remember azure advisor can provide you with recommendations to save money on your azure resources and finally make sure that if serverless makes sense for you you should use it this allows you to pay only when your code runs now if you want more information on best practices head on over to this url azure cost management is another tool that allows you to keep an eye on your costs and manage your expenses in azure azure cost management makes it possible to analyze your costs at a granular level and you can create budgets so that you can control your costs and you can even create alerts that will notify specific people when certain thresholds are exceeded in your costs azure cost management is available in the azure portal by searching for cost management plus billing so as you can see here azure cost management provides a breakdown of your expenses by resource type region and resource group and i can also see a graph of my cost over time i can budget my expenses in azure cost management and if i exceed my budget i can clearly see that in my cost analysis graph so this is a great way to keep an eye on my expenses in azure over time and to make sure that i'm making the best use of my cloud resources welcome to lesson 16 discover the support options available in azure when something goes wrong you might need some technical support from microsoft or a third-party expert and in this lesson you find out about your options for support first we cover the support plans that microsoft provides to azure customers next we present how you can open a support case we also look at the options you have for support outside of those support plans and finally we look at the knowledge center a portal for finding documentation in blog posts on common issues in azure azure includes plenty of diagnostic tools that you can use to check things out when they're not quite working as you expect but it's likely you're going to need some help at some point from microsoft and for those situations microsoft offers numerous support plans for azure customers now before we go into those plans let's look at this terminology that microsoft uses related to support most support plans offer different levels of service during business hours versus non-business hours microsoft defines business hours for most countries as weekdays between the hours of 9 a.m and 5 p.m local time however in north america business hours are from 6 a.m to 6 p.m pacific time and in japan business hours are defined as weekdays between 9 a.m and 5 30 pm in all regions business hours don't include holidays microsoft also defines support cases using one of three different severity levels a severity a case is reserved for situations where a production application is completely down or maybe when critical components of an application are unavailable a severity b case means that a production application is moderately impacted obviously that's a subjective definition so microsoft and the customer will need to agree on what justifies this level of severity a severity c case involves an issue that is minimally impactful or maybe a situation that was happening in the past but it's since gone away microsoft offers five different support plans the basic support plan provides limited support for your azure account and subscription and it's it's free for all azure subscriptions the developer support plan is for azure free trial accounts and for non-production applications it's not a free support plan but the cost is minimal and it also only allows for severity c cases the standard support plan is for production azure applications and that comes with an increased cost and the professional direct support plan is for customers who have business critical applications there are also premier plans that are contracted support options usually for enterprise customers microsoft provides support slas that defines things like how soon you'll be contacted by microsoft engineers after opening a case and those slas differ based on the case severity and the level of your support plan let's have a look at how you can open a support case here in the azure portal there are a couple of different ways you can do this one is you can just search right here for support and that'll give you the help and support option you can also actually click on help and support when you're actually inside of your resource so if i go into for example this web app right here learn az 900 i can scroll down in this list kind of all the way down here to the bottom and i have the ability to click on new support request right here so once i do that i have to choose whether this is a technical issue or whether this is billing or service and subscription limits and in this case let's say it's a technical issue so now i choose my subscription and the one that's listed here is fine next i need to tell microsoft which service i am looking for assistance with so it's pre-populated for me because i clicked on new support request within this app so i'm going to leave that as is and summary i'm going to say my app is down and then i can select a problem type now these are problem types that are defined by microsoft usually it's going to be pretty clear where things fit if not just choose what fits best in this case it's availability so i'm going to choose that and now i have the ability to choose a subtype so i'm going to say my web app is down right next i'll click here and now what microsoft is doing is it's determining whether or not there might be some information that they can provide to me that might allow me to fix this problem myself now in this case for web apps it's actually telling me that hey right now we don't see that your app is down it's giving me a little bit of a chart here that shows me that everything appears to be okay i can scroll down here and i can see that they've actually performed quite a lot of checks against my app and that these have succeeded so that allows me to determine that hey it doesn't appear that there is a problem that exists that i have indicated to microsoft now that doesn't necessarily mean i don't need support because this might be something that happened earlier that's not happening anymore and i just kind of maybe want to find out what happened so in this case i'm going to go ahead and close this because i'm not interested in that information all the diagnostics that's nice and everything but let's say this is a problem that happened before so i'm going to say next right here to go to details now this tells me that with my current plan i can only request access for help with billing subscription management and quota increase and that's because i haven't actually created a support plan for myself so i need to actually purchase a support plan in order to get support from microsoft however if i don't want to do that at this point i can click the link right here and talk to community support that's going to be people who are in forums who might be able to help me with something that's simple not very complex otherwise i can click view plans right here i can create a support plan for myself once i purchase that i'll have the ability to enter details here like the very specific information that i have for microsoft which might be things like the time the date and time period that i experienced this problem those types of things and then i can create a support case and at that point i'll have details provided to me that will tell me how long i can expect to wait before someone contacts me back on that support case now as you saw in lesson 16.2 there are other support options for azure outside of microsoft support plans msdn forums offer support from other azure users as community-based support and stack overflow forums also offers community-based support msdn forums are operated by microsoft and stack overflow is a third-party website that provides information and support on numerous technologies besides azure microsoft employees and vendors frequent the msdn forums and often they can provide help for simple issues but if your issue involves more in-depth troubleshooting they'll often ask you to go ahead and open a support case microsoft also offers knowledge center which is a website where you can get answers to common questions about microsoft azure products and services and if i browse to knowledge center as you see here i can scroll down and i can see popular questions that are asked by lots of different people i can click on one of these and learn more about those i can scroll down to the bottom and i can actually click on view more and get more questions that i can review and maybe those will help me out i can search for a particular topic right here but i can also filter on specific services so for example if i click app service right here that's going to give me questions for app service so all of the questions that i see here are limited to app service at the very bottom i can also create a support ticket right here i can contact the sales department if i want to purchase something from microsoft and also have links into community support like we talked about earlier welcome to lesson 17 describe azure service level agreements in this lesson you learn about the promises microsoft makes in the area of service availability in azure you learn about how you can determine the service level agreement of your azure services and what you can do if you feel that microsoft hasn't met the documented service level agreement service level agreements or slas establish specific targets for availability and they also define what a cloud provider will do when those targets aren't met slas are represented as a percentage of availability over a specific time period and they're usually above 99 i mean if a cloud provider promised that your service would be available 80 percent of the time you'd likely go somewhere else for your cloud application needs no one is going to offer a 100 sla it's just simply not possible the highest sla is 99.9 which is commonly referred to as five nines this is obviously what all cloud providers aim for but a more typical sla is 99.9 or 99.95 percent a service is only outside of an sla if a problem is caused by something that's within the control of the cloud provider if a problem is caused by your application or maybe another component that the cloud provider doesn't control there is no sla on that if a services availability does fall outside of the sla the cloud provider will often provide some level of refund but in azure you must submit a claim to microsoft within two months of the end of the billing cycle each azure service offers an sla specific to that service so to determine the sla for a specific service you can use the service level agreements website shown here so if i want to for example find out what the service level agreement is for an azure virtual machine i can just enter virtual machines here and then i can click on virtual machines in the results and that's going to give me details on how sla is computed for azure virtual machines so the first thing i see is just an overview which tells me that i get a 99.99 uptime assuming i meet certain requirements otherwise it's 99.95 percent otherwise if i just have a single instance virtual machine using premium storage they're going to give me a 99.9 sla and so that's an important thing for me to know i can also scroll down a little bit and i can see sla details and that's important because that's going to give me the definitions that microsoft is going by when they say for example availability set they're referring to two or more virtual machines deployed across different fault domains to avoid a single point of failure these are things that we've talked about earlier in this video if i scroll down a little more i'll see monthly uptime calculation and service levels for virtual machines and availability zones and then as i scroll down further i can see all of the different slas and how they are computed based upon how my virtual machine is deployed now in each one of these it shows not only the sla but also the service credit that is applied if my sla doesn't isn't met so if my sla is 99.95 percent if i fall below 99.95 percent but 99 or higher i get a 10 service credit less than 99 i get a 25 and less than 95 i don't pay for it at all and so this is an a very informative way of determining exactly what the sla of any particular azure service is azure is rapidly evolving and new services and features are being released on a regular basis in lesson 18 understand service lifecycle in azure you learn about how microsoft makes new features and services available to customers you'll find out about how you can access preview features before they're broadly available and you learn about how you can keep an eye on new updates and releases azure changes all the time services are updated with new features and new services are released all the time and microsoft is very interested in getting customer feedback as they work on new features and services and for that reason microsoft will often make services and features available as preview offerings before they are generally released private preview services and features are provided with no sla or a reduced sla and they're usually provided at a reduced cost private previews are usually made available only to a small number of customers and and often times only by invitation when a service is offered as a private preview it's usually early in the development cycle so it's not uncommon to only have a subset of features available during private preview microsoft doesn't always offer a private preview for new services and features but if they do these previews are not intended for production use and also microsoft support engineers usually don't support customers using a private preview public preview happens after the private preview period when a service or feature is closer to completion public previews are open to all users and they're usually available right inside of the azure portal public preview usually doesn't happen until a service or feature is either fully functional or very close to it and just like with private previews public previews are usually offered at a discounted rate with a reduced sla or no sla they're also not intended for production use although there may be limited exceptions to that and microsoft support will sometimes offer support for public preview features private preview features are usually accessed either using a special portal link that gives you access to those features in addition to all of the other features within the azure portal or sometimes you'll have command line entries that you need to make using the powershell or the cli to create those private preview resources public preview resources are accessible right within the azure portal and they're usually badged with a preview badge so for example this is my learn az 900 web app and if i scroll down here to backups and click that i see here that there is a snapshot backup feature that i can configure but it also says it's preview and that means that this is a public preview feature and it falls under all of the limitations of a public preview as well once a service or feature reaches a quality and availability bar that microsoft sets it's declared as generally available or ga ga services and features are fully supported by microsoft and they offer an sla as well if you've used a preview version of a feature or service sometimes you might be required to delete and recreate those resources once ga is reached and that's because remnants of previews can sometimes cause unforeseen problems microsoft may not declare a service or a feature as being ga in all geographies or regions at the same time but they often do if you want to keep up with all the latest updates in azure you can use the azure updates website shown here now if i scroll down you can see all of the different announcements that are available here in azure updates and each one of those has a little icon which says now available some of those might show as their as being in preview and so anything that has two light colored dots here is in preview anything that has three is now available which means it's generally available so this is a good way to kind of keep track of what's going on in azure as preview releases are are made available and also as those preview releases move to general availability and another important feature here is that you can subscribe to an rss feed so that you can stay informed easily using one of your rss readers well that's it you've completed your journey through azure fundamentals you now have some great knowledge about azure under your belt so that you can be better prepared to take the az 900 exam you're also prepared to be a valuable resource in your company for evaluating and recommending your company's approach to the cloud in this course you learned all about cloud concepts you learned what benefits the cloud provides and you learned about the different service types available such as ias pass and sas you also gained a deeper understanding of the differences between the public cloud the private cloud and hybrid cloud scenarios you learned all about some of the core services in azure and you learn some under the hood concepts such as azure regions availability zones and azure resource manager you learned all about products in azure compute networking storage and database solutions and you learned about the azure marketplace for jump starting your cloud experience you also learned about cool technologies like the internet of things artificial intelligence machine learning and serverless computing in azure and you also learned how to use the azure portal and powershell in the azure cli to manage all of these services you learned about security privacy and trust and you learned about compliance with regulations you learned about azure security products such as azure firewall and azure ddos protection you learned about how to use network security groups and how to best choose the right security option for your needs you learned about identity solutions such as azure active directory and multi-factor authentication and you learned about security tools like azure security center azure key vault and azure information protection and azure advanced threat protection you now know how you can manage the creation and management of azure resources using azure policy and you know how you can control people's access to azure resources using our back you learned about preventing unwanted changes using locks and even how you can prevent someone from unintentionally deleting an azure resource you also learned about azure advisor and how it can help with security and compliance you found out how you can use azure monitor to keep track of all your azure services and you learned how to configure alerts so that the right people are notified if problems happen when that's necessary you learned how you can monitor the health of azure itself so you'll know if you're being impacted by a problem in azure you discovered microsoft's approach to privacy and trust and you learned about tools like trust center and the service trust portal where you can manage security and compliance in your cloud deployments you also learned about microsoft approaches to the unique security and compliance needs of governments in other countries and finally you learned all about azure pricing and azure support you learned about all the tools you can use to plan and manage costs tools like the pricing calculator and the total cost of ownership calculator you learned about azure cost management so that you can easily track your costs and make wise financial decisions about your cloud usage you found out all the details of your support options in azure and how you can open a support case you learned about the azure sla and what you can do if you feel that an azure event impacted your service we wrapped everything up with a discussion of the service life cycle and how you can keep up with feature and service updates as well as how you can access new features early in the development process with all this knowledge you're now much better prepared to take the azure fundamentals exam i hope this course gave you confidence in your knowledge of azure and i hope you enjoy taking this course as much as i enjoy teaching you good luck on your exam
Info
Channel: IT Cloud Training
Views: 483
Rating: undefined out of 5
Keywords:
Id: NVAiOl9xILc
Channel Id: undefined
Length: 247min 26sec (14846 seconds)
Published: Wed Oct 27 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.