Transcription
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2019 Scott Duffy, softwarearchitect.ca get the course for these slides at:https://www.udemy.com/az900-azure/?couponCode SLIDESDISC
Microsoft Azure Fundamentals“foundational level knowledge of cloud services and how those services areprovided with Microsoft Azure”
Microsoft Azure Fundamentals Candidates with non-technical backgroundsCandidates with a technical background who have a need to validate theirfoundational level knowledge around cloud services
Microsoft Azure Fundamentals Understand cloud conceptsUnderstand core Azure servicesUnderstand security, privacy, compliance and trust Understand Azure pricing and support
You’ll be preparedto take an pass theAZ-900 exam
But you don’t haveto, if you just wantto learn cloudconcepts
What is the Cloud?
The ability to rentcomputingresources on demand
What Computing Resources?Virtual MachinesUnlimited StorageDatabasesQueuesContent Delivery NetworkBatch Processing Jobs
What Computing Resources?Big Data - HadoopMedia ServicesMachine LearningChat BotsCognitive Services
1000 Azure Service options
Understand Cloud Concepts(15-20%)
High Availability
Expressed as a percentage,it’s the ability of a system torespond to users
99.99%Four nines, 4 minutes per month
Scalability
The ability of a system tohandle growth of users orwork
App failureMax capacityNumber of concurrent users
Elasticity
The ability of a system toautomatically grow andshrink based on applicationdemand
capacityUserdemand
Agility
The ability to change rapidlybased on changes to marketor environment
Fault Tolerance
The ability of a system tohandle faults like power,networking, or hardwarefailures
Disaster Recovery
The ability of a system torecover from failure within aperiod of time, and howmuch data is lost
Economies of Scale
It’s cheaper for Microsoft torun a server than you canever achieve yourself
Capital Expenditure (CapEx) andOperational Expenditure (OpEx)
CapEx is money invested inassets (like computers) thatreturn investment over time
OpEx is money spent everyday on operating expenses
Consumption-Based Model
Pay per minutePay per hourPay per execution
Infrastructure-as-a- Service (IaaS)
Virtual machines, networking,load balancers, firewalls
Platform-as-a-Service (PaaS)
Upload code packages andhave them run, without accessto the hardware
Software-as-a-Service (SaaS)
Access to configuration only
Compare and Contrast
Public cloud
Computing services offeredover the public Internet;anyone can sign up
Private cloud
Computing services offered toonly select users; internal orcorporate cloud
Hybrid cloud
Combination of public andprivate clouds; scale privateinfrastructure to the cloud
Compare and Contrast
Public vs private vs hybrid
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2019 Scott Duffy, softwarearchitect.ca get the course for these slides at:https://www.udemy.com/az900-azure/?couponCode SLIDESDISC
Understand Core Azure Services(30-35%)
Regions
54Regions - not all accessible by everyone
Availability Zones
Resource Groups
Azure Resource Manager (ARM)
Core Azure architecturalcomponents
ComputeVirtual MachinesVirtual Machine Scale SetsApp ServiceFunctions
NetworkingVirtual NetworkLoad BalancerVPN GatewayApplication GatewayContent Delivery Network
StorageAzure Storage - Blob, File, Table, QueueManaged DiskBackup and Recovery Storage
DatabasesCosmos DBAzure SQL DatabaseAzure Database Migration serviceAzure SQL Data Warehouse
Azure Marketplace
Internet of Things (IoT)IoT FundamentalsIoT HubIoT Central
Big Data and AnalyticsSQL Data WarehouseHDInsightData Lake Analytics
Artificial Intelligence (AI)Azure Machine Learning ServiceStudio
ServerlessAzure FunctionsLogic AppsApp grid
Azure ToolsAzure CLIPowerShellAzure Portal
Azure Advisor
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2019 Scott Duffy, softwarearchitect.ca get the course for these slides at:https://www.udemy.com/az900-azure/?couponCode SLIDESDISC
Understand Security, Privacy,Compliance, and Trust (25-30%)
Azure Firewall
Azure DDoS Protection
Network Security Group (NSG)
Choose an appropriate Azuresecurity solution
All virtual networksubnets should useNSG
It’s a strong lock onwindows and doorsthat you don’t use
DDoS - as neededor after attacked
ApplicationGateway with WAF
Security throughlayers
The difference betweenAuthentication and Authorization
Authentication is a userproving who they are user id and password
Authorization is ensuringthat a user is permitted toperform an action
Move away from allauthenticated usershaving adminaccess
Azure Active Directory
Identity as a service(IDaaS)
Microsoft’spreferred solutionfor identitymanagement
Complete solutionfor managing users,groups, roles
Single-sign on
Synchronize withyour corporate AD
Azure Multi-Factor Authentication
First factor is youruser id - might beeasy to guess
Second factor isyour password hopefully hard toguess
(Also hopefullyunique)
Third factor is thatyou have yourphone on you
SMS, authenticatorapp, phone call
Azure Security
Physical vs digitalsecurity
Shared security model
Azure AD
MFA
Role-Based AccessControl (RBAC)
Layered approach
Security Layers Data - i.e. virtual network endpoint Application - i.e. API Management Compute - i.e. Limit Remote Desktop access, Windows Update Network - i.e. NSG, use of subnets, deny by default Perimeter - i.e. DDoS, firewalls Identity & access - i.e. Azure AD Physical - i.e. Door locks and key cards
Azure Security Center usagescenarios
Unified security managementand advanced threatprotection
Free tier andStandard tier
Key Vault
Central, secure repository foryour secrets, certificates andkeys
Azure Information Protection(AIP)
Apply labels toemails anddocuments
i.e. Confidential,Super Confidential,Top Secret
Used to protectdocuments frombeing viewed,printed and/orshared
Azure Advanced ThreatProtection (ATP)
Monitor and profileuser behavior andactivities
Protect useridentities andreduce the attacksurface
Identify suspiciousactivities andadvanced attacks
Investigate alertsand user activities
Azure Policy
Governance
Create rules acrossall of your Azureresources
Evaluatecompliance tothose rules
Examples of Built-In Policies Require SQL Server 12.0 Allowed Storage Account SKUs Allowed Locations Allowed Virtual Machine SKUs Apply tag and its default value Not allowed resource types
Can create custompolicies using JSONdefinition
Policy Initiatives
A set of policies,grouped together
“Every resource andresource groupmust have thesefive tags.”
10 policies thatneed to be enforced
Grouped togetheras a policy initiative
Role-Based Access Control(RBAC)
Microsoftrecommendedsolution for accesscontrol
Create roles thatrepresent thecommon tasks ofthe job
AccountantDeveloperBusiness Lead
Assign granularpermissions to thatrole
Assign users to thatrole
Do not assigngranularpermissions to anindividual
ReaderContributorOwner
Locks
Read OnlyCan Not Delete
Using RBAC, youcan restrict whohas access to locks
Azure Advisor security assistance
Azure Monitor
Azure Service Health
Azure Monitor vs Azure ServiceHealth
Azure Monitorcollects all the datafor you to analyzeand create alerts on
Specific to yourapplication, youractions
Azure ServiceHealth are generalalerts across all ofAzure
Compliance terms such as GDPR,ISO and NIST
Many differentstandards fortechnology acrossthe world
Microsoft claims tobe in compliancewith many of them
And has tools tohelp you be incompliance withothers
General Data Protection Regulation (GDPR)GDPR is a new set of rules designed to give EU citizens more control over theirpersonal dataAffects companies outside of the EU that handle EU citizen’s dataData has to be collected legally under strict conditionsData has to be protected misuseReporting obligations is data is mishandled
ISO - International Organization for Standardization
ISO 9001:2015 isfor QualityManagementSystems (QMS)
ISO/IEC20000-1:2011 is forServiceManagementSystems (SMS)
NIST Cybersecurity Framework (CSF)National Institute of Standards and Technology (NIST)Audited for compliance to security and privacy processes
Microsoft Privacy Statement
privacy.microsoft.com
Trust center
ervices/azure
Service Trust Portal
servicetrust.microsoft.com
Compliance Manager
workflow-based riskassessment tool .to help you manageregulatorycompliance
Azure Government services
Separate account
For US governmentagencies - federal,state and local
Department ofDefence (DoD) hasits own too
Isolated datacenters separatefrom the Azurepublic cloud
Meets standardsspecific togovernment
FedRAMP, NIST800.171 (DIB), ITAR,IRS 1075, DoD L4,and CJIS
portal.azure.us
Different URLs forconnecting tostorage, functions,etc.
Azure Germany services
Separate account
Data remains inGermany
Strictest EU dataprotection
German Datatrustee
START HERE
AZ-900 Microsoft AzureFundamentalsScott Duffy, Instructor 2019 Scott Duffy, softwarearchitect.ca get the course for these slides at:https://www.udemy.com/az900-azure/?couponCode SLIDESDISC
Understand Azure Pricing andSupport (25-30%)
Azure Subscription
Subscription is abilling unit
Users have accessto one or moresubscriptions, withdifferent roles
All resourcesconsumed by asubscription will bebilled to the owner
Can be used toorganize resourcesinto completelydistinct accounts
Managementgroups
Purchasing Azure products andservices
Purchase from Microsoft Pay as you go Enterprise Agreement
NegotiatedMinimum SpendAnnualCustom Prices
Purchase from a Microsoft Partner Microsoft Cloud Solution Provider (CSP)
Azure Free account
http://azure.microsoft.com/free
US 200 credit forthe first 30 days
12 months of freeservices
Some services arealways free
Factors affecting costs
Different servicesare billed based ondifferent factors
Free services
Free servicesResource groupsVirtual network (up to 50)Load balancer (basic)Azure Active Directory (basic)Network security groupsFree-tier web apps (up to 10)
Pay per usage(consumptionmodel)
Opportunity for cost savingsAzure Functions: 1 million executions free per month 0.20 per million executions Cheapest virtual machine is 20 per month
Pay per usage servicesFunctionsLogic AppsStorage (pay per GB)Outbound bandwidthCognitive Services API
Pay for time (persecond)
Per second billingmeans billing stopswhen the VM isstopped *
Stability in pricingPay a fixed price per month for computing power or storage capacityWhether you use it or notDiscounts for 1-year or 3-year commitment in VM (Reserved Instances)Multi-tenant or isolated environment
Pay for bandwidth
First 5 GB is free
Inbound data is free
Bandwidth costsOutbound data, 0.05 to 0.087 / GB for Zone 1 (NA and EU w/o Germany)Outbound data, 0.057 to 0.10 / GB for DE Zone 1 (Germany)Outbound data, 0.08 to 0.12 / GB for Zone 2 (Asia, Africa and Oceania)Outbound data, 0.16 to 0.181 / GB for Zone 3 (Brazil)(Availability zone pricing is different)
1 PB of datatransfer 52,000
Zones for billing purposes
Zone is ageographicalgrouping of AzureRegions for billingpurpose
Zone 1United States, Europe, Canada, UK, France
Zone 2Asia Pacific, Japan, Australia, India, Korea
Zone 3Brazil South
DE Zone 1Germany Central, Germany Northeast
Pricing calculator
or/
Estimates are hardto make 100%accurate
Configurable OptionsRegionTierSubscription TypeSupport OptionsDev/Test Pricing
Export and sharethe estimate
Total Cost of Ownership (TCO)calculator
The cost of a serveris more than justthe cost of thehardware
Other costs Electricity Cooling Internet connectivity Rack space Setup labor Maintenance labor Backup
ulator/
Best practices for minimizingAzure costs
Azure Advisor costtab
Auto shutdown ondev/qa resources
Utilize cool/archivestorage wherepossible
Reserved instances
Configure alertswhen billingexceeds anexpected level
Use Policy torestrict access tocertain expensiveresources
Auto scalingresources
Downsize whenresourcesover-provisioned
Ensure everyresource has anowner (tags)
Azure Cost Management
Another free toolinside Azure toanalyze spending
Analyze spendingover time
Tracking againstbudgets
Schedule reports
Support plans
Levels of Azure SupportBasic - free and included in all plansDeveloper - non-production environmentsStandard - production environmentsProfessional Direct - business criticalPremier - multiple products, including Azure
Basic SupportSelf-help supportDocumentationAzure Advisor recommendationsService Health dashboard and Health API
Developer SupportBusiness hours access to support engineers via emailUnlimited contacts / casesSev C - Non-business criticalOne day response time ( 8 hours)General architectural guidance 29 / month
Standard Support24 x 7 access to support engineers by phone and emailUnlimited contacts / casesS
Microsoft Azure Fundamentals Understand cloud concepts Understand core Azure services Understand security, privacy, compliance and trust Understand Azure pricing and support