AZ-900 STUDY NOTES

Youtube resources

https://www.youtube.com/watch?v=8n-kWJetQRk

1 Describe Cloud Concepts

1.1 Describe Cloud Computing

Instead of running your stuff on your own computer, run it on a rental
Rent more CPU, RAM, and disk when you need it.

1.2 Describe the benefits of using cloud services

Consumption based model

Pay only for the resources you use.

Shared responsibility

We have: On premises, Infrastructure As A Service, Platform As A Service, and Software As A Service

Facility	On-prem	IaaS	PaaS	SaaS
Data, devices, accounts	You	You	You	You
Identity and Access	You	You	You	Shared
Applications	You	You	You	Shared
Network controls	You	You	Them	Them
Operating Systems	You	You	Them	Them
Infrastructure	You	Them	Them	Them
Datacenter, network, hosts	You	Them	Them	Them

"Infrastructure" is networking, storage, servers.

Scalability

"Vertical" scalability - Make your virtual CPU faster or add more RAM
"Horizontal" scalability - Add more virtual boxes
Elasticity - Scale automatically based on app demand

Availability

Availability - 99%, 99.9%, 99.95%...
Uptime - Is different from availability because all components must be up

Agility

Speed and ease of allocating and deallocating resources. How fast we stretch/scale.

Reliability

"Microsoft Azure Well-Architected Framework." Recovery from failures. Failover to other boxen a la clustering.

Predictability

Tell in advance if it's going to be big and fast enough. Also tell in advance what it's going to cost you.

Sustainability

Make sure you are using just the right amount of capacity from a power consumption perspective.

Automatic scaling up or down of resources by demand
Auto-remove resources that aren't in use
Choosing efficient services
Use logfiles to track usage for predictions and optimisation

1.3 Describe Cloud Service Types

Cloud models:

Private cloud - Run your cloud software on your own hardware.
Public cloud - Run your cloud software on a rental on the Internet
Hybrid cloud - Run some on your own machines, some on a rental
Multicloud - Run your software on different clouds depending on features

2 Describe Azure Architecture and Services

2.1 Describe the core architectural components of Azure

Main components

Azure geography - Discrete market, two or more geographical regions, for data residency and compliance boundaries.
Azure region- Set of datacenters, within a latency defined perimeter and connected with a fast network.
Sovereign region - Regions for compliance or legal reasons
Region pairs - Two Azure regions for disaster recovery purposes; 300 miles apart

Other concepts:

Management group - Level of scope above subscriptions, for management and applications of policies
Subscriptions - Logical container used to provision resources in Azure. Multiple subscriptions when subscription limits are reached, different payment options, isolate resources between departments, projects etc.
Resource groups - Holds related resources for an Azure solution
Resources - Any entity managed by Azure i.e. a VM
Availability zones - Physical locations within a region with independent hardware. One or more datacenters.
Datacenters - Physical building containing hardware.

2.2 Describe Azure compute and networking services

Summary:

Compute types
VM options
Resources
Application hosting options

App hosting options

Azure VMs - Server virtualisation
- VM scale sets - Group of identical load balanced VMs, number can automatically increase or decrease with load or schedule.
- VM availability sets - Staggered VM updates and varied power and nertwork connectivity.
  - Fault domains - Group VMs by common power supply and network switch
  - Update domains - Apply updates in groups so not all resources will go offline at once
Azure virtual desktop - Virtual workstation running on Azure
Azure Kubernetes Services - Runs multiple composed Docker containers in Kubernetes
Azure container instance - Runs single Docker containers in a serverless Azure environment
Azure App Service
Web apps - HTTP based app
API apps - REST APIs Swagger support
Web jobs - Run an executable (EXE, BAT, etc.)
Mobile apps - backend for iOS and Droid

VM resource requirements

To run, a VM needs:

Virtual disk
Virtual network
Network interface (NIC)
Network security group (firewalld)
Public IP address (maybe)

Networking core services

VNET = virtual network

Virtual network - Logical representation of your Azure network, isolated by default to a subscription
Virtual subnet - IP subnets of your virtual network. Can by default communicate within VNET
VPN gateway - Connection between virtual network and your own internal network over Internet
VNET peering - Connects virtual networks together so VMs can communicate
Expressroute - Connects on-prem network into Azure using a connectivity provider (leased line)
Azure DNS - Provides internal or external DNS for your VMs
Private and public endpoints
Service endpoint - Internet IP for a PaaS service
Private endpoint - Private connection from on-prem net to PaaS service

Networking security features

Defense in depth - Principle: Layered approach with multiple
Network security group - Security rules similar to firewall rules
Azure firewall - Firewall as a service, highly available, auto scaling
Azure DDoS - Tier-based mitigation of DDoS attacks

2.3 Describe Azure Storage Services

Storage Services

Blob storage - Large amounts of unstructured data (=not row/column)
- Structured data = Organised in row/column
File storage - File server SMB or NFS
Azure disk storage - Block devices
Azure table storage - Structured noSQL data - Key/attribute
Azure queue storage - Messages

Storage tiers

Tier	Cost	Speed	Comments
Hot	Highest	Fastest	Fast disks for high performance apps
Cool	High	Fast	Online, for data you don't use too often
Cold	Middle	Middle	Online, but not very fast
Archive	Low	Slow	Offline storage, lag = hours

Data in these tiers has an expiration date?!

Storage redundancy options

Locally Redundant Storage (LRS) - Mirrored to one location
Zone Redundant Storage (ZRS) - Mirrored synchronously across availability zones
Geo-redundant storage (GRS) - Uses LRS first, then copies asynchronously to another region also on LRS
Geo Zone Redundant Storage - Uses ZRS for synchronous copy, then copies asynchronously to a single physical location in the secondary region

Moving files

AzCopy - Command line utility to copy blobs or files to your storage account
Azure Storage Explorer - Standalone GUI app that lets you manage files/blobs
Azure File Sync - Continually sync your Windows file server to Azure

Azure migration options

Azure Migrate - Tool for porting your apps to Azure
Azure data box - Physical media service

2.4 Describe Azure Identity, Access, and Security

Entra ID (Was Azure AD)
Entra Domain Services
Single sign-on
Passwordless
External identities: Business to Business (B2B) and Business to Customer (B2C)
Conditional access in entra
Role based access control
Zero trust concept
Defense in depth concept
Defender for Cloud

Core azure identity services

AuthN - Prove you are who you say you are
AuthZ - Authorization - grant permissions
Entra ID - Active Directory for Cloud, both internal and external

Authentication methods

Single Sign-on (SSO) - Sign on once, access everything
Multi-factor authentication
- Password
- SMS
- Voice
- MS authenticator app = MS owns your phone
- OATH = Open Authentication generating time based one-time passwords.
- Fast ID Online (FIDO2) = Public-key crypto hardwarer device using a challenge/response procedure
- Windows Hello

External Identities

B2B collaboration
- Their entra ID (for authentication)
- Social identities (Log in using Google)
B2B direct connect
- Mutual two-way trust for heavy collaboration
- Allows you to use another company's IDs to assign permissions
- Close business partners only
B2C Use Entra ID to manage end user access to your apps
Entra ID multi-tenant organization
- Collab with other Azure customers via cross-temant synchronisation
- For mergers or departments of the same company very close colleagues
Entra ID conditional access - Allow, reject or ask MFA for operations based on "Signals":
- User and location
- Kind of device
- Application
- Other risk factors

Azure RBAC

Built on Azure Resource Manager
Fine grained access management of azure resources

Zero trust

Verify explicitly - Always authenticate and authorize based on all available data points
Least privilege access - Just in time, Just enough access
Assume breach - Minimise blast radius

Layered approach - Don't rely on any one method for protection.

Microsoft Defender for Cloud

Security management app for both Cloud and on-prem datacenters
Security guidance for various services
Supports Azure, Amazon, GCP, as well as on-premise workloads.

3 Describe Azure Management and Governance

https://learn.microsoft.com/en-us/training/paths/describe-azure-management-governance

Factors that can affect cost
Pricing calculator/Total Cost of Ownership calculator
Cost management capabilities
Purpose of tags

3.1 Describe cost management in Azure

Timestamp: 2:10:00

Factors affecting cost in Azure

Resource type - some things more expensive than others
Consumption - How much of a resource you use
Maintenance - Tidy up your unused or retired resources
Geography - Where in the world your resources are, some are at a premium
Network traffic - How much data you push around, also affected by Geography
Subscription type - Various contracts offered by Microsoft

Azure Marketplace allows third parties to sell/rent Azure resources to you.

Consumption pricing options

The more you plan, the cheaper your resources will be. The more flexible, the more expensive. Sometimes you can pick up deals. From expensive to cheap:

Pay as you go - available quickly, but the most expensive
Reserved Instances - Rent a specific set of resources and don't move them
Reserved capacity - Rent a given amount of resources, distributed where needed
Hybrid use Benefit - Use your on-prem Software Assurance-enabled Windows software licenses on Azure
Spot pricing - Use incidentally available resources, special offers.

Pricing calculator

Automated quotes for resources you are planning. Costs nothing in itself, but lets you work out your budget.

Total Cost of Ownership calculator

Shows you how much money you can save by giving your computers to Microsoft. Before you deploy.

Azure Cost management tool

Looks at the things you are using and reports on what it is costing you. Components:

Cost alerts - Budget alerts, Credit alerts, Department spending quota alerts
Credit alerts - Warns you when money runs out and you need to top up.
Department spending quota alerts - Give each department a separate budget.

Describe cost optimisation

Reservations for stable predictable workloads
Savings plan for resources that can move hther and thither.
Spot pricing for irregular and interruptible purposes

Describe tags

You can put tags on all resources so you can find them or report on them, for the following purposes:

Resource management - Associated with specific workloads
Cost management - Report on what a subset of your resources are costing you
Operations management - Separate prod from dev and test, tag critical resources
Security - Confidentiality levels
Governance and regulatory compliance - Define ruleset for resources
Workload optimisation and automation - Identify specific types of resource

A practical starter tag set for many teams is Environment, Owner, CostCenter, and Workload. This set supports common day-to-day tasks such as filtering costs, finding service owners, and scoping automation.

Resource tags are managed using the Azure portal where you define the resources. You are free to tag your resources in whatever manner you want.

3.2 Describe features and tools in Azure for governance and compliance

https://learn.microsoft.com/en-us/training/modules/describe-features-tools-azure-for-governance-compliance/

Templates used to define machines and their security standards before deployment

Auditing tools exist to flag compliance problems.

Automatic patching

Microsoft Purview
Azure policy
Resource locks
Service Trust Portal

Microsoft Purview

Provides a combined view on all of your data, whether from Azure, on-premises clouds, or other clouds. It has the following:

Automated data discovery - gathers lists of the data across your clouds
Sensitive data classification - Lets you tag various pieces of data as sensitive
End-to-end data lineage - Keeps track of where your data comes from.

This is then provided to the user in:

Risk/compliance view: protect sensitive data, identify data risks, inform regulatory compliance
Unified data governance: Map data classification and lineage, locate sensitive data, secure access at scale

Azure policy

Automated controls and auditing of resources. This lets you make rules across all your configurations to ensure compliance with your standards.

Policies can be set on resources, resource groups, subscriptions, and other levels. A group of policies is called an initiative. There is an inheritance mechanism that applies policies automatically to sub-resources. Azure policy can automatically fix policy violations. Integrates with Azure Devops.

Azure policy guardrails are a mechanism to prevent AI agents from doing stupid things, as is their habit.

An Azure policy initiative is a group of policies. We can address this initiative to report on or sometimes fix policy violations.

Blueprint is used mainly for deploying new environments.

Resource locks

Prevents accidental changes or deletion of resources. These apply even to owners. You can lock a resource against modification. If you are the ownber, you must first remove the lock, do what you need, then re-apply the lock. We haver:

Delete locks - Prevent people from deleting resources.
Read only locks - Prevent perople from changing a resource.

You manage the locks from the Azure Portal.

Service Trust portal

Information about how MS implements various security, privacy, and confidentiality policies such as the GDPR, various ISO standards, and so on.

These are only documents which you can create links to in your cloud based documentation.

3.3 Describe features and tools for managing and deploying Azure resources

https://learn.microsoft.com/en-us/training/modules/describe-features-tools-manage-deploy-azure-resources/

Auto-scaling - Automatically add/remove resources as needed.
Templates - Define virtual machines beforehand
Health monitoring
Alerting

Tools for interacting with Azure

Azure portal - main dashboard for managing your resources
Azure Cloud Shell - browser based command line interface
Azure Powershell - Azure-enabled variant of Powershell on your local box
Azure CLI - Azure-enabled Bash
Azure Arc
Azure Resource Manager
Azure mobile app (iOS and Android both!)

And of course you can interface Azure with Copilot.

Azure powershell and Azure CLI

Lets you script operations on your resources: set up, tear down, maintain and so on. It is a modified PowerShell or Bash that connects to your Azure cloud.

Azure Resource Manager and templates

The deployment and management service for Azure. The component that does the actual configuration work, directed by the various management tools. It uses declarative templates that define the desired environment rather than scripted procedures that build them.

Lets you group together resources for management rather than doing them one by one. You can re-deploy the same environment in the same or different places (Test, prod). You can control the order by defining dependencies. You can automatically apply access controls and tag them for various purposes.

Azure resource Manager templates describe resources in JSON. There is also an alternative called Bicep, which is apparently easier to read.

Azure Arc

Management tool for hybrid and multicloud environments. It can "project" your non-Azure cloud resources into the Azure Resource manager. It can manage the following:

Servers
Kubernetes clusters
Azure data services
SQL server
Virtual machines

Infrasstructure as Code (IaC)

Describe your desired servers, networks, and whatnot in a text file, pass that to Azure Resource Manager, and have it built.

3.4 Describe monitoring tools in Azure

https://learn.microsoft.com/en-us/training/modules/describe-monitoring-tools-azure/

Azure Advisor - Scans your Azure config and recommends changes for:
- Security
- Deployments
- Cost
- Deployed resources
Azure Monitor - Collects monitoring telemetry
Azure Service Health

Azure Advisor

Dashboard that shows you the following:

Reliability - Flags configuration risks to help uptime
Security - Detects threats and vulnerabilities
Performance - Reminds you to buy more CPU and RAM
Operational Excellence - Analysis of deployment and workflow improvements
Cost - Finds ways to save you money

Azure monitor

Dashboard for looking at what your Azure resources are doing. Includes:

Log analytics - see what errors, wArnings, and information is in the Azure logs
Monitor alerts - Warns you when something you describe has happened
Application insights - How many requests, how many calls to other resources, page load times, CPU, memory, network usage.

Azure service health

Gives an insight into which of your resources are running properly, with scopes of "All services" even not yours, "Your services," and "One invividual resource"

4 Terms to know

Capital expenditure: Buying computers.

Operational Expenditure: Rent capacity and personal services

Serverless architecture: MS allocates and de-allocates servers for you based on usage. Pay as you go, stateless resources, ephemeral resources, being triggered.

Azure logic app: Schedule, automate, orchestrate apps "Citizen developer"

Azure functions: Run code triggered by events. Billed by execution

Event grid: process events generated by apps and send them to event handlers. Pub/Sub mode Pay per use

Management group: Top level object for Azure resources

Subscriptions: Accounts kept separate maybe for isolation, different billing options

Resource group: Container that holds resources with a common life cycle, such as the components of a virtual machine.

Availability zones

VM scale sets: group of identical load balanced VMs

VM availability sets

Azure virtual desktop

Azure container instance

Azure kubernetes services

App service

Private endpoint

vnet peering

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search