Transcription
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
Nov 2020 update
Microsoft Azure Fundamentals“foundational level knowledge of cloud services and how those services areprovided with Microsoft Azure”
Microsoft Azure Fundamentals Candidates with non-technical backgroundsCandidates with a technical background who have a need to validate theirfoundational level knowledge around cloud services
Microsoft Azure Fundamentals Describe cloud conceptsDescribe core Azure services Describe core solutions and management tools Describe general and network security featuresDescribe identity, governance, privacy and Compliance features Describe cost management and SLA
You’ll be preparedto take and passthe AZ-900 exam
But you don’t haveto, if you just wantto learn cloudconcepts
What is the Cloud?
The ability to rentcomputingresources on demand
What Computing Resources?Windows and Linux ServersUnlimited StorageDatabasesQueuesContent Delivery NetworkBatch Processing Jobs
What Computing Resources?Big Data - HadoopMedia ServicesMachine LearningChat BotsCognitive Services
1000 Azure Service options
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
Describe Cloud Concepts(20-25%)
2021A
Benefits of Cloud Computing
BenefitsCost savings - both real and accountingAgilityAvailabilitySecurityGlobal reachRange of ready on-demand servicesRange of tools
Cost Savings
Cost Savings - RealEconomies of scaleTotal cost of ownership (TCO) - electricity, Internet,cooling, employeesMicrosoft can run a server cheaper than anyone elsewith few exceptions4 vCPU server - as low as 187/mo
You can takeactions to reduceyour cost i.e. autoscaling
Global Reach
It’s not possible formost businesses torun data centers inmultiple countries
High Availability
Expressed as a percentage,it’s the ability of a system torespond to users
99.99%Four nines, 4 minutes per month
Scalability
The ability of a system tohandle growth of users orwork
App failureMax capacityNumber of concurrent users
Elasticity
The ability of a system toautomatically grow andshrink based on applicationdemand
capacityUserdemand
Agility
The ability to change rapidlybased on changes to marketor environment
Disaster Recovery
The ability of a system torecover from failure within aperiod of time, and howmuch data is lost
Capital Expenditure (CapEx) andOperational Expenditure (OpEx)
CapEx is money invested inassets (like computers) thatreturn investment over time
OpEx is money spent everyday on operating expenses
Consumption-Based Model
Pay per minutePay per hourPay per execution
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
Infrastructure-as-a- Service (IaaS)
Virtual machines, networking,load balancers, firewalls
Platform-as-a-Service (PaaS)
Upload code packages andhave them run, without accessto the hardware
Software-as-a-Service (SaaS)
Access to configuration only
Shared Responsibility Model
Serverless
There are stillservers you justdon’t ever have todeal with them
Even less access tothe server thanPaaS
Even with PaaS, youhave to choose anApp Service Plan
With PaaS, scaling isyour responsibility
Serverless meansnot worrying aboutchoosing the rightplan
Serverless meansnot worrying aboutscaling
Serverless meansyou might pay 0 ifyou don’t use theservice
Azure Serverless OffersCompute - Azure FunctionsCompute - Serverless Kubernetes (Virtual Nodes w/ ACI)Database - Azure SQL Database ServerlessDatabase - Cosmos DB Serverless (preview)
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
Public cloud
Azure owns the hardware,on their network andinfrastructure
Private cloud
Looks and acts like a cloud,except customer owns orleases or has exclusiveaccess to the hardware
Hybrid cloud
Combination of public andprivate clouds; scale privateinfrastructure to the cloud
Compare and Contrast
Public vs private vs hybrid
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
Describe Core Azure Services(15-20%)
2021A
Core Azure architecturalcomponents
Regions
60 Regions - not all accessible by everyone
Region Pairs
What are Paired Regions?Each region has one other region which is treated as it’s “pair”Almost always in the same geography - data storage lawsThe data connection between region pairs is the highest speed availableSoftware rollouts are deployed to one region of a pair and the other is not touchedIf multiple regions go down, one region of each pair is treated as a priority
Example PairsCanadaCanada Central - Canada EastEuropeNorth Europe - West EuropeUSAEast US - West USUSAEast US 2 - Central USUSANorth Central US - South Central USBrazilBrazil South - South Central US
Availability Zones
Resource Groups
Azure Subscription
Subscription is abilling unit
Users have accessto one or moresubscriptions, withdifferent roles
All resourcesconsumed by asubscription will bebilled to the owner
Can be used toorganize resourcesinto completelydistinct accounts
Management groups
Azure Resource Manager (ARM)
Azure Resources
Instance of servicesthat you create, thatare yours to use
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
Core resources in Azure
Getting Deep into the Technical Compute services Networking services Storage services Database services Azure Marketplace
Compute services covered Virtual Machines (VM) App services (Web apps) Azure Container Instances (ACI) Azure Kubernetes Service (AKS) Windows Virtual Desktop
Compute “Executing code” inthe cloud
Virtual MachinesInfrastructure as a service - IaaSTake an existing machine from your environment into the cloud - a copyWindows or Linux operating systems - several of eachA “slice” of a physical machine shared with other customersFull control over it, as if it was your machine
Virtual Machine TypesOver 200 to choose fromNumber of CPU cores, CPU speed, RAM size, temporary disk size, IOPS, etc
App ServicesA new paradigm for running code in the cloudGive your code and configuration to Azure, and they will run itPromise of performance but no access to hardwarePlatform as a Service (PaaS)
ContainersAnother paradigm for running code in the cloudContainers contain everything the app needs to run in a “container image”Fastest and easiest to deployAzure Container Instance (ACI) - single instance, quickest way to deploy acontainerAzure Kubernetes Service (AKS) - runs on a cluster of servers, enterprise-grade
Windows Virtual DesktopDesktop version of Windows that runs in the cloudYou software installed, your files - available from anywhereCan even see your desktop on iOS and Android, or from any web browserRuns on Azure
Networking Services CoveredVirtual NetworksVPN GatewayVNet PeeringExpressRoute
Types of Networking Services Connectivity Services Protection Services Delivery Services Monitoring Services
ConnectivityVirtual Network - emulating a physical networkMicrosoft Global Network already exists, so a virtual network is just softwareconfigurationVirtual Private Network (VPN) - connecting two networks as if they were on thesame network, uses a Network GatewayExpressRoute - high-speed private connection to Azure
Protection - Security Section of the CourseDDos Protection - Distributed Denial of Service attack protectionAzure FirewallNetwork Security GroupsPrivate Link
Delivery - Not on the ExamLoad Balancer - distribute traffic evenly between multiple backend serversApplication Gateway - a higher-level of load balancer with an optional firewallContent Delivery Network (CDN) - stores common static files on the edge, closerto the users for (perceived) improved performanceAzure Front Door Service - a load balancer, CDN and firewall all-in-one
Monitoring - Management Tools Section of theCourseNetwork WatcherExpressRoute MonitorAzure Monitor
Storage Services CoveredContainer (Blob) StorageDisk StorageFile StorageStorage Tiers
Storage - one of thefoundationaltechnologies onwhich much is built
Container (Blob) and File StorageThe Azure Storage accountGeneral Purpose v2 (gpv2) is the most common typeBlobs, Tables *, Queues *, FilesAzure Data Lake Storage Gen2Cheapest type of storagePay Per GB ( 1.8 cents per GB)
Many, Many OptionsAccess tiers - Hot, Cool, ArchivePerformance ties - Standard or PremiumLocationRedundancy / ReplicationFailover options
Disk StorageAzure Virtual Machine DisksManaged DisksReserve capacity in advanceOptimized to virtual hard disks
Database Services CoveredCosmos DBAzure SQL DatabaseAzure Database for MySQLAzure Database for PostgreSQLSQL Managed Instance
Most sophisticatedapplications havesome type ofdatabase
Cosmos DBExtremely fast storageDesigned for modern applications such as mobile video games, social networks,and things requiring thousands of global replicationNoSQL StorageMulti-modalSupports many open-source APIs and protocols
Azure SQL DatabaseRuns on the SQL Server engine underneathRelational DBDatabase as a serviceEasy to replicateEasy to scaleEasy to migrate from SQL Server on-prem
Azure Database for MySQLManaged MySQL databaseCommon open-source DBMakes migration to the cloud easier if you rely on this oneWordpress uses it
Azure Database for PostgreSQLManaged PostgreSQL databaseOpen-source DBHas better support for clusters and more complex server setupsMakes migration to the cloud easier if you rely on this one
SQL Managed InstanceMost compatible with existing SQL ServerMinimal code changesFully managed by AzureAlways up-to-date
Azure Marketplace
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
Describe Core Solutions andManagement Tools (10-15%)
2021AInternet of Things (IoT)IoT HubIoT CentralAzure Sphere
Azure SphereA platform designed to work with connected devicesIncludes: a secure, silicon chip Sphere OS Cloud-based security services
2020ABig Data and AnalyticsAzure Synapse Analytics(formerly SQL Data Warehouse)HDInsightAzure Databricks
Artificial Intelligence (AI)Azure Machine LearningCognitive ServicesAzure Bot Service
Azure Bot ServiceA natural language chatbot serviceA database of frequently-asked questionsA front-end that allows people to ask questionsAnd get answers
2020AServerlessAzure FunctionsLogic AppsEvent grid
2020ADevOps SolutionsAzure DevOpsGitHubGitHub ActionsAzure DevTest Labs
GitHubMicrosoft purchased GitHub in 2018The most popular place to store your company’s sourcecodeHas private and public optionsIntegrates with tools such as Visual StudioBased on the “git” source control language inventedby Linus Torvalds of Linux fame
GitHub ActionsAutomate software workflowsWhat happens once someone “checks in” changes to code?Possibly includes Continuous Integration (CI)Possibly includes automatic compilation of code to check for errorsPossibly includes running a suite of tests against code
Having a Web Appautomaticallyupdate when newcode is checked in
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
2020AAzure ToolsAzure CLIPowerShellAzure PortalAzure Cloud ShellAzure Mobile App
Azure Mobile App
Monitor the healthand status ofresources fromyour phone
Run commands;start, stop andrestart servers
Azure Advisor
ARM Templates
Azure Resource Manager (ARM)The deployment and management service for AzureManagement layer that allows you to create, update, and delete resources called“deployments”All actions that you take to manage your Azure resources goes through the ARMlayer
Azure Monitor
Azure Service Health
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
Describe General and NetworkSecurity Features (10-15%)
Azure Security Center
Azure Security CenterUnified infrastructure security management system that monitors and protectsyour systems inside and outside of Azure Strengthen security Protect against threats Get secure faster
Key Vault
Central, secure repository foryour secrets, certificates andkeys
Azure Sentinel
What is Sentinel?Centralizes all the log files from various resourcesAnalyzes them to detect threatsAllows you to run queries on those logs yourselfInvestigate an incidentOrchestration and automation to fix the issues
Azure Dedicated Hosts
Hardware that isdedicated to youand only you
You can reserve amachine and runmultiple virtualmachines on it (tothe machine limit)
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
Defense in Depth
Security Layers Data - i.e. virtual network endpoint Application - i.e. API Management Compute - i.e. Limit Remote Desktop access, Windows Update Network - i.e. NSG, use of subnets, deny by default Perimeter - i.e. DDoS, firewalls Identity & access - i.e. Azure AD Physical - i.e. Door locks and key cards
Network Security Group (NSG)
Azure Firewall
Azure DDoS Protection
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
Describe Identity, Governance,Privacy, and Compliance Features(20-25%)
What is “Identity”?
In computing,“identity” is arepresentation of aperson, applicationor device
Examples of IdentityJohn Henry Doejohndoe@example.comMonthly Payroll ApplicationThe laser printer at 6th Floor West
Usually requires apassword, a secretkey or a certificateto prove
Many applicationsrequire you to log into use some of itsfunctionality
How It’s Traditionally Handled
Client-Server ModelClient AppWeb BrowserMobile AppServerWeb SiteUser ID , PasswordDB
Traditionally,companies havewritten their owncode to handle this
Some of the morefamous “hacks”have been oncustom createdidentity systems
HacksSome companies were storing the password in “plain text”Some companies were using a simple, reversible hash algorithm (MD5)Some companies were storing the “salt” along with the dataNot enforcing password change policiesNot enforcing password complexity policies
Azure provides an identitymanagement systembased on their popular“Active Directory”
Azure Active Directory(Azure AD or AAD)
Azure Active Directoryis not the same asActive Directory
Traditional AD doesnot work withInternet protocols
Azure AD provides“identity as aservice”
Instead of having towrite code tohandle users,passwords,password reset
The AAD ModelIdentity ProviderUser ID , Passwordtrust,keysignedtokenClient AppBrowserMobile AppServerWeb Serversignedtoken
SAMLOpenIDWS Federation
Benefits of Azure AD
Security
Reduceddevelopment time,easier support
More features
Centralizedadministration
Only one user IDand password- Single Sign-On
Integration withother Azureservices
The difference betweenAuthentication and Authorization
Authentication is a userproving who they are user id and password
Authorization is ensuringthat a user is permitted toperform an action
Move away from allauthenticated usershaving adminaccess
Azure Active Directory
Microsoft’spreferred solution foridentity management
Azure AD Powers Other Microsoft ServicesAzureSkypeOutlookOneDriveXboxOffice 365 - Teams, SharePoint, PowerBI, etc
Complete solutionfor managing users,groups, roles
Single-sign on
Synchronize withyour corporate AD
Conditional Access
User A attempts tolog in to the appfrom within thecompany office, asshe does every day
User B attempts tolog in to the app forthe first time in 4months
Administrator Cattempts to log into the app fromtheir phone
Administrator Dattempts to log into the app from alocation 1200 milesfrom the office
You can treat someaccess attempts as“routine”, and someas “not normal”
Azure Multi-Factor Authentication
Require 2 or morepieces of evidence(factors) in order tolog in
Three FactorsSomething you know - i.e passwordSomething you have - i.e mobile phone, access to email accountSomething you are - i.e fingerprint
Your uniquepassword could be1 piece of evidence
But a second pieceof evidence isrequired - a unique,time-limited codesent to you
SMS, email,authenticator app,phone call
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
Role-Based Access Control(RBAC)
Microsoft’spreferred solutionfor access control
Create roles thatrepresent thecommon tasks ofthe job
AccountantDeveloperBusiness Lead
Assign granularpermissions to thatrole
Assign users tothat role
Do not assigngranular permissionsto an individual
ReaderContributorOwner
Locks
Read OnlyCan Not Delete
Using RBAC, youcan restrict whohas access to locks
Resource Tags
Can add metadatato Azure resources
Helps with billingand support issues
Azure Policy
Governance
Create rules acrossall of your Azureresources
Evaluatecompliance tothose rules
Examples of Built-In Policies Require SQL Server 12.0 Allowed Storage Account SKUs Allowed Locations Allowed Virtual Machine SKUs Apply tag and its default value Not allowed resource types
Can create custompolicies using JSONdefinition
2020AAzure Blueprints
Azure Subscriptiontemplates withRoles and Policiesalready defined
Cloud Adoption Framework forAzure
Set ofdocumentation,guidance, tools
Best practices forsucceeding in thecloud
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
Core Tenets of Security, Privacyand Compliance
Azure: Trusted Cloud Security Privacy Compliance Resiliency Intellectual Property (IP) protection
Security Azure is built with security in mind Azure delivers tools and technologies to help organizations protectapplications and data Azure uses encryption Azure offers advanced tools to detect and defend against security threats
Privacy You own all your data in Azure Microsoft will not mine your data or use it for marketing You control where the data is located and who has access You can access your own data at any time for any reason Microsoft follows a specific policy for government and law enforcementrequests Microsoft follows a specific policy to remove data if youdiscontinue using their service
ComplianceMicrosoft follows international standards and helps customers to follow thosestandards too if they wishAzure has more than 90 compliance certificationsAzure follows more than 50 regional standardsAzure can help with standards in more than 35 industries like health care,government, finance, etc.
Reliability and Resiliency High availability Disaster recovery Backup
Protecting IPYou can build your solutions on top of Azure’s products and servicesAzure offers specific protections against frivolous infringement claimsSee: Azure IP Advantage and Shared Innovation Initiative
Microsoft Privacy Statement
privacy.microsoft.com
Online Service Terms (OST)
Data Protection Addendum (DPA)
Trust center
ervices/azure
Compliance terms such as GDPR,ISO and NIST
Many differentstandards fortechnology acrossthe world
Microsoft claims tobe in compliancewith many of them
And has tools tohelp you be incompliance withothers
General Data Protection Regulation (GDPR)GDPR is a new set of rules designed to give EU citizens more control over theirpersonal dataAffects companies outside of the EU that handle EU citizen’s dataData has to be collected legally under strict conditionsData has to be protected from misuseReporting obligations if data is mishandled
ISO - International Organization for Standardization
ISO 9001:2015 isfor QualityManagementSystems (QMS)
ISO/IEC20000-1:2011 is forServiceManagementSystems (SMS)
NIST Cybersecurity Framework (CSF)National Institute of Standards and Technology (NIST)Audited for compliance to security and privacy processes
Azure Sovereign Regions
Separate account
For US governmentagencies - federal,state and local
Department ofDefense (DoD) hasits own too
Isolated datacenters separatefrom the Azurepublic cloud
Meets standardsspecific togovernment
FedRAMP, NIST800.171 (DIB), ITAR,IRS 1075, DoD L4,and CJIS
portal.azure.us
Different URLs forconnecting tostorage, functions,etc.
2020AAzure China
2020ASeparate account
2020AData remains inChina
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
2020ADescribe Azure cost managementand Service Level Agreements(10-15%)
Factors affecting costs
Different servicesare billed based ondifferent factors
Free services
Free servicesResource groupsVirtual network (up to 50)Load balancer (basic)Azure Active Directory (basic)Network security groupsFree-tier web apps (up to 10)
Pay per usage(consumptionmodel)
Opportunity for cost savingsAzure Functions: 1 million executions free per month 0.20 per million executions Cheapest virtual machine is 20 per month
Pay per usage servicesFunctionsLogic AppsStorage (pay per GB)Outbound bandwidthCognitive Services API
Pay for time (persecond)
Per second billingmeans billing stopswhen the VM isstopped *
Stability in pricingPay a fixed price per month for computing power or storage capacityWhether you use it or notDiscounts for 1-year or 3-year commitment in VM (Reserved Instances)Multi-tenant or isolated environment
Pay for bandwidth
First 5 GB is free
Inbound data is free
Bandwidth costsOutbound data, 0.05 to 0.087 / GB for Zone 1 (NA and EU w/o Germany)Outbound data, 0.057 to 0.10 / GB for DE Zone 1 (Germany)Outbound data, 0.08 to 0.12 / GB for Zone 2 (Asia, Africa and Oceania)Outbound data, 0.16 to 0.181 / GB for Zone 3 (Brazil)(Availability zone pricing is different)
1 PB of datatransfer 52,000
Best practices for minimizingAzure costs
Azure Advisor costtab
Auto shutdown ondev/qa resources
Utilize cool/archivestorage wherepossible
Reserved instances
Configure alertswhen billingexceeds anexpected level
Use Policy torestrict access tocertain expensiveresources
Auto scalingresources
Downsize whenresourcesover-provisioned
Ensure everyresource has anowner (tags)
Spot Pricing
Ability to use virtualmachine whennobody is using itfor a discountedprice
But when someoneneeds to use it, youget kicked off
Like a “last minute”travel website
Or the “same daytickets” window at aBroadway show
Pricing calculator
or/
Estimates are hardto make 100%accurate
Configurable OptionsRegionTierSubscription TypeSupport OptionsDev/Test Pricing
Export and sharethe estimate
Total Cost of Ownership (TCO)calculator
The cost of a serveris more than justthe cost of thehardware
Other costs Electricity Cooling Internet connectivity Rack space Setup labor Maintenance labor Backup
ulator/
Azure Cost Management
Another free toolinside Azure toanalyze spending
Analyze spendingover time
Tracking againstbudgets
Schedule reports
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
Service Level Agreement (SLA)
a/
Preview features
Preview featuresare for “testing” andnot production use
Could changesignificantly beforeit goes live
May not go live
Public and Private Preview
Public previewavailable toeveryone
Private Previewrequires registration
General Availability (GA)
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2021 Scott Duffy, softwarearchitect.ca get the course for these slides at:http://sjd.ca/az900
Thank you and best of luck!
Grab Your Free ResourcesLocated at the end of the course: Free PDF Study Guide Download the slides and MP3 audioif you like to study offline 50 question practice test
Benefits of Cloud Computing. Benefits Cost savings - both real and accounting Agility Availability Security Global reach Range of ready on-demand services Range of tools. Cost Savings. Cost Savings - Real Economies of scale Total cost of ow
