Full Cloud PDF
Full Cloud PDF
Full Cloud PDF
NO
A platform as service PaaS solution that hosts web apps in Azure provides ability to scale the
platform automatically
YES
A platform as service PaaS solution that hosts web apps in Azure provides professional development
services to continously add features to custom applications
YES
Azure provides flexibility between capital expenditure CapEx and operational exponditure OpEx
YES
If you create two Azure virtual machines that use the B2S site, each virtual machine will always
generate the same monthly costs
NO
When an Azure virtual machine is stopped, you continue to pay storage costs associated to the
virtual machine
YES
When you are implementing a Software as a Service SaaS solution, you are responsible for
A. fault tolerance
B. elasticity
C. scalability
D. low latency
An organization that hosts its infrastructure IN THE PUBLIC CLOUD no longer requires a data center.
What are two characteristics of the public cloud? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.
A. dedicated hardware
B. unsecured connections
C. limited storage
D. metered pricing
E. self-service management
Your company plans to migrate all its data and resources to Azure.
The companyג€™s migration plan states that only Platform as a Service (PaaS) solutions must
be used in Azure.
You need to deploy an Azure environment that meets the company migration plan.
Solution: You create an Azure App Service and Azure SQL databases.
Does this meet the goal?
YES, Azure App Service and Azure SQL databases are examples of Azure PaaS solutions.
Therefore, this solution does meet the goal.
Your company plans to migrate all its data and resources to Azure.
The companyג€™s migration plan states that only Platform as a Service (PaaS) solutions must
be used in Azure.
You need to deploy an Azure environment that meets the company migration plan.
Solution: You create an Azure App Service and Azure virtual machines that have
Microsoft SQL Server installed.
Does this meet the goal?
NO, Azure App Service is a PaaS (Platform as a Service) service. However, Azure virtual
machines are an IaaS (Infrastructure as a Service) service. Therefore, this solution does not
meet the goal.
Your company plans to migrate all its data and resources to Azure.
The companyג€™s migration plan states that only Platform as a Service (PaaS) solutions must
be used in Azure.
You need to deploy an Azure environment that meets the company migration plan.
Solution: You create an Azure App Service and Azure Storage accounts.
Does this meet the goal?
NO, Azure App Service is a PaaS (Platform as a Service) service. However, Azure Storage
accounts are an IaaS (Infrastructure as a Service) service. Therefore, this solution does not
meet the goal.
Your company hosts an accounting application named App1 that is used by all the
customers of the company.
App1 has low usage during the first three weeks of each month and very high usage during
the last week of each month.
Which benefit of Azure Cloud Services supports cost management for this type of usage
pattern?
A. high availability
B. high latency
C. elasticity
D. load balancing
You plan to migrate a web application to Azure. The web application is accessed by external
users.
You need to recommend a cloud deployment solution to minimize the amount of
administrative effort used to manage the web application.
What should you include in the recommendation?
To achieve a hybrid cloud model, a company must always migrate from a private cloud model
NO
A company can extend the capacity of its internal network by using the public cloud
YES
In a public cloud model, only guest users at your company can access the resources in the cloud
NO
You plan to migrate several servers from an on-premises network to Azure.
What is an advantage of using a public cloud service for the servers over an on-premises
network?
In which type of cloud model are all the hardware resources owned by a third-party and
shared between multiple tenants?
A. private
B. hybrid
C. public
An Azure web app that queries an on-premises Microsoft SQL server is an example of a HYBRID cloud
You have 1,000 virtual machines hosted on the Hyper-V hosts in a data center.
You plan to migrate all the virtual machines to an Azure pay-as-you-go subscription.
You need to identify which expenditure model to use for the planned Azure solution.
Which expenditure model should you identify?
A. operational
B. elastic
C. capital
D. scalable
A cloud service that remains available after a failure occurs FAULT TOLERANCE
A cloud service that can be recovered after a failure occurs DISASTER RECOVERY
A cloud service that performs quickly when demand increases DYNAMIC SCALABILITY
A cloud service that can be accessed quickly from the internet LOW LATENCY
To implement a hybrid model, a company must have an internal network
NO
A company can extend the computing resources of its internal network by using a hybrid cloud
YES
In a public cloud model, only guest users at your company can access the resources in the cloud.
NO
A Platform as a service PAAS solution provides full control of operating systems that host
applications
NO
A Platform as a service PAAS solution provides additional memory to apps by changing pricing tiers
NO
A Platform as a service PAAS solution can automatically scale the number of instances
YES
NO
Paying electricity for our datacenter is an example of OpEx
NO
YES
PUBLIC CLOUD
PRIVATE CLOUD
HYBRID CLOUD
A company can extend a private cloud by adding its own physical servers to the public cloud
NO
To build a hybrid cloud, you must deploy resources to the public cloud
YES
NO
You have 50 virtual machines hosted on-premises and 50 virtual machines hosted in Azure.
The on-premises virtual machines and the Azure virtual machines connect to each other.
Which type of cloud model is this?
A. hybrid
B. private
C. public
A platform as service PAAS solution that hosts web apps in azure provides full control of the
operating systems that host applications
NO
A platform as service PAAS solution that hosts web apps in azure can be provided with additional
memory by changing the pricing tier
YES
A platform as service PAAS solution that hosts web apps in azure can be configured to automatically
scale the number of instances based on demand
YES
Your company plans to migrate all its data and resources to Azure.
The companyג€™s migration plan states that only Platform as a Service (PaaS) solutions must
be used in Azure.
You need to deploy an Azure environment that meets the company migration plan.
Solution: You create an Azure virtual machines, Azure SQL databases, and Azure Storage
accounts.
Does this meet the goal?
A. Yes
B. No
Your company plans to deploy several custom applications to Azure. The applications will
provide invoicing services to the customers of the company. Each application will have
several prerequisite applications and services installed.
You need to recommend a cloud deployment solution for all the applications.
What should you recommend?
NO
Monthly salaries for technical personnel are an example of operational expenditure OpEx costs
YES
YES
NO
With infrastructure as a service IAAS you must install the software that you want to use.
YES
YES
NO
NO
YES
You can use Availability Zones in Azure to protect Azure virtual machines from a datacenter failure.
YES
You can use Availability Zones in Azure to protect Azure virtual machines from a region failure
NO
You can use Availability Zones in Azure to protect Azure virtual machines from a datacenter failure.
YES
NO
YES
An Azure resource group can contain multiple Azure subscriptions
NO
An Azure region contains one or more data centers that are connected by using a low-
latency network.
Instructions: Review the underlined text. If it makes the statement correct, select ג€No
change is neededג€. If the statement is incorrect, select the answer choice that makes the
statement correct.
A. No change is needed
B. Is found in each country where Microsoft has a subsidiary office
C. Can be found in every country in Europe and the Americas only
D. Contains one or more data centers that are connected by using a high-latency
network
You plan to deploy 20 virtual machines to an Azure environment. To ensure that a virtual machine
named VM1 cannot connect to the other virtual machines, VM1 must
When you need to delegate permissions to several Azure virtual machines simultaneously, you must
deploy the Azure virtual machines
A. Yes
B. No
One of the benefits of Azure SQL Data Warehouse is that high availability is built into the
platform.
Instructions: Review the underlined text. If it makes the statement correct, select ג€No
change is neededג€. If the statement is incorrect, select the answer choice that makes the
statement correct.
A. No change is needed
B. automatic scaling
C. data compression
D. versioning
You plan to deploy several Azure virtual machines.
You need to ensure that the services running on the virtual machines are available if a single
data center fails.
Solution: You deploy the virtual machines to two or more regions.
Does this meet the goal?
A. Yes
B. No
Azure resources can only access other resources in the same resource group
NO
If you delete a resource group all the resources in the resource group will be deleted
YES
YES
You plan to store 20 TB of data in Azure. The data will be accessed infrequently and
visualized by using Microsoft Power BI.
You need to recommend a storage solution for the data.
Which two solutions should you recommend? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.
You have an Azure environment that contains 10 web apps. To which URL should you
connect to manage all the Azure resources? To answer, select the appropriate options in the
answer area.
HTTPS://PORTAL.AZURE.COM
You need to identify the type of failure for which an Azure Availability Zone can be used to
protect access to Azure services.
What should you identify?
You typically pay only for the cloud services you use:
• Reliability: Depending on the service-level agreement that you choose, your cloud-based
applications can provide a continuous user experience with no apparent downtime even
when things go wrong.
• Scalability: Applications in the cloud can be scaled in two ways, while taking advantage of
autoscaling:
• Elasticity: Cloud-based applications can be configured to always have the resources they
need.
• Agility: Cloud-based resources can be deployed and configured quickly as your application
requirements change.
• Geo-distribution: Applications and data can be deployed to regional datacenters around the
globe, so your customers always have the best performance in their region.
• Disaster recovery: By taking advantage of cloud-based backup services, data replication, and
geo-distribution, you can deploy your applications with the confidence that comes from
knowing that your data is safe in the event that disaster should occur.
• IaaS: A cloud provider keeps the hardware up to date, but operating system maintenance
and network configuration is left to the cloud tenant. Advantage: rapid deployment of new
compute devices, setting up a new virtual machine is considerably faster.
• PaaS: The cloud provider manages the virtual machines and networking resources, and the
cloud tenant deploys their applications into the managed hosting environment.
• SaaS: In this cloud service model, the cloud provider manages all aspects of the application
environment, such as virtual machines, networking resources, data storage, and
applications. The cloud tenant only needs to provide their data to the application managed
by the cloud provider. For example: Office 365.
Responsibilities
Serverless computing
• It enables developers to build applications faster by eliminating the need for them to
manage infrastructure.
• The cloud service provider automatically provisions, scales, and manages the infrastructure
required to run the code.
• Serverless architectures are highly scalable and event-driven. They use resources only when
a specific function or trigger occurs.
• The serverless name comes from the fact that the tasks associated with infrastructure
provisioning and management are invisible to the developer.
Public cloud: Services are offered over the public internet and available to anyone who wants to
purchase them. Cloud resources like servers and storage are owned and operated by a third-party
cloud service provider and delivered over the internet.
Private cloud: Computing resources are used exclusively by users from one business or organization.
A private cloud can be physically located at your organization's on-site datacenter. It also can be
hosted by a third-party service provider.
Hybrid cloud: This computing environment combines a public cloud and a private cloud by allowing
data and applications to be shared between them
Azure.
• Azure provides more than 100 services that enable you to do everything from running your
existing applications on virtual machines to exploring new software paradigms, such as
intelligent bots and mixed reality.
• Azure provides AI and machine-learning services that can naturally communicate with your
users through vision, hearing, and speech.
• It also provides storage solutions that dynamically grow to accommodate massive amounts
of data. Azure services enable solutions that aren't feasible without the power of the cloud.
Azure services
Compute services: Azure Virtual Machines, Azure Kubernetes Service, Azure Container Instances,
Azure Functions
Networking services: Azure Virtual Network, Azure Firewall, Azure VPN Gateway
Storage services: Azure Blob Storage, Azure File Storage, Azure Queue Storage, Azure Table Storage
Consumption-based model
End users only pay for the resources that they use. Whatever they use is what they pay for.
Advantages:
• No upfront costs.
• No need to purchase and manage costly infrastructure that users might not use to its
fullest.
• The ability to pay for additional resources when they are needed.
• The ability to stop paying for resources that are no longer needed.
Costs
Capital Expenditure (CapEx) is the up-front spending of money on physical infrastructure, and then
deducting that up-front expense over time. The up-front cost from CapEx has a value that reduces
over time.
Operational Expenditure (OpEx) is spending money on services or products now, and being billed
for them now. You can deduct this expense in the same year you spend it. There is no up-front cost,
as you pay for a service or product as you use it.
IaaS
It aims to give you complete control over the hardware that runs your application. Instead of buying
hardware, with IaaS, you rent it.
Advantages:
• No CapEx.
• The shared responsibility model applies; the user manages and maintains the
services they have provisioned, and the cloud provider manages and maintains the
cloud infrastructure.
• Organizations pay only for what they use and operate under an Operational
Expenditure (OpEx) model.
• No deep technical skills are required to deploy, use, and gain the benefits of a public
cloud.
• IaaS is the most flexible cloud service because you have control to configure and
manage the hardware running your application.
PaaS
It aims to give you complete control over the hardware that runs your application. Instead of buying
hardware, with IaaS, you rent it.
Advantages:
• No CapEx.
• PaaS is more agile than IaaS, and users don't need to configure servers for running
applications.
• Users pay only for what they use, and operate under an OpEx model.
• No deep technical skills are required to deploy, use, and gain the benefits of PaaS.
• Users can focus on application development only, because the cloud provider
handles all platform management. Working with distributed teams as services is
easier because the platform is accessed over the internet. You can make the
platform available globally more easily.
SaaS
SaaS is software that's centrally hosted and managed for you and your users or customers. Usually
one version of the application is used for all customers, and it's licensed through a monthly or annual
subscription.
SaaS provides the same benefits as IaaS, but again there are some additional benefits to be aware of
too.
Advantages:
• No CapEx.
• Users can provide staff with access to the latest software quickly and easily.
• Users pay for the software they use on a subscription model, typically monthly or
yearly, regardless of how much they use the software.
• No deep technical skills are required to deploy, use, and gain the benefits of SaaS.
• Users can access the same application data from anywhere.
• Resources: Resources are instances of services that you create, like virtual machines,
storage, or SQL databases.
• Resource groups: Resources are combined into resource groups, which act as a logical
container into which Azure resources like web apps, databases, and storage accounts are
deployed and managed.
• Subscriptions: A subscription groups together user accounts and the resources that have
been created by those user accounts. For each subscription, there are limits or quotas on the
amount of resources that you can create and use. Organizations can use subscriptions to
manage costs and the resources that are created by users, teams, or projects.
• Management groups: These groups help you manage access, policy, and compliance for
multiple subscriptions. All subscriptions in a management group automatically inherit the
conditions applied to the management group.
Azure subscription
An account can have one subscription or multiple subscriptions that have different billing models
and to which you apply different access-management policies.
There are two types of subscription boundaries that you can use:
• Billing boundary: This subscription type determines how an Azure account is billed
for using Azure. You can create multiple subscriptions for different types of billing
requirements. Azure generates separate billing reports and invoices for each
subscription so that you can organize and manage costs.
• Environments: When managing your resources, you can choose to create subscriptions to
set up separate environments for development and testing, security, or to isolate data for
compliance reasons. This design is particularly useful because resource access control occurs
at the subscription level.
• Billing: You might want to also create additional subscriptions for billing purposes. Because
costs are first aggregated at the subscription level, you might want to create subscriptions to
manage and track costs based on your needs. For instance, you might want to create one
subscription for your production workloads and another subscription for your development
and testing workloads.
• Subscription limits: Subscriptions are bound to some hard limitations. For example, the
maximum number of Azure ExpressRoute circuits per subscription is 10.
• A management group tree can support up to six levels of depth. This limit doesn't include
the root level or the subscription level.
• Each management group and subscription can support only one parent.
• All subscriptions and management groups are within a single hierarchy in each directory.
• A resource group is a logical container for resources deployed on Azure. These resources are
anything you create in an Azure subscription like VMs, Azure Application Gateway instances,
and Azure Cosmos DB instances.
• All resources must be in a resource group, and a resource can only be a member of a single
resource group.
• Many resources can be moved between resource groups with some services having specific
limitations or requirements to move.
• Resource groups can't be nested. Before any resource can be provisioned, you need a
resource group for it to be placed in.
Logical grouping
• Resource groups exist to help manage and organize your Azure resources. By placing
resources of similar usage, type, or location in a resource group, you can provide order and
organization to resources you create in Azure. Logical grouping is the aspect that you're
most interested in here, because there's a lot of disorder among our resources.
The benefits of using Resource Manager
• Manage your infrastructure through declarative templates rather than scripts. A Resource
Manager template is a JSON file that defines what you want to deploy to Azure.
• Deploy, manage, and monitor all the resources for your solution as a group, rather than
handling these resources individually.
• Redeploy your solution throughout the development life cycle and have confidence your
resources are deployed in a consistent state.
• Define the dependencies between resources so they're deployed in the correct order.
• Apply access control to all services because RBAC is natively integrated into the
management platform.
• Apply tags to resources to logically organize all the resources in your subscription.
• Clarify your organization's billing by viewing costs for a group of resources that share the
same tag.
Azure regions
• different geographical locations around the globe that contain Azure datacenters.
• These specific datacenters aren't exposed to users directly. Instead, Azure organizes them
into regions.
Region: is a geographical area on the planet that contains at least one but potentially multiple
datacenters that are nearby and networked together with a low-latency network.
• Some services or VM features are only available in certain regions, such as specific VM sizes
or storage types.
• There are also some global Azure services that don't require you to select a particular region,
such as Azure Active Directory, Azure Traffic Manager, and Azure DNS.
Azure has specialized regions that you might want to use when you build out your applications for
compliance or legal purposes.
• US DoD Central, US Gov Virginia, US Gov Iowa and more: These regions are physical and
logical network-isolated instances of Azure for U.S. government agencies and partners.
These datacenters are operated by screened U.S. personnel and include additional
compliance certifications.
• China East, China North, and more: These regions are available through a unique
partnership between Microsoft and 21Vianet, whereby Microsoft doesn't directly maintain
the datacenters.
• You want to ensure your services and data are redundant so you can protect your
information in case of failure -> create duplicate hardware environments.
• Azure can help make your app highly available through availability zones.
Availability zones are physically separate datacenters within an Azure region. Each availability zone
is made up of one or more datacenters equipped with independent power, cooling, and networking.
• An availability zone is set up to be an isolation boundary. If one zone goes down, the
other continues working. Availability zones are connected through high-speed,
private fiber-optic networks.
• Availability zones are primarily for VMs, managed disks, load balancers, and SQL databases.
Azure services that support availability zones fall into two categories::
• Zonal services: You pin the resource to a specific zone (for example, VMs, managed disks, IP
addresses).
• Zone-redundant services: The platform replicates automatically across zones (for example,
zone-redundant storage, SQL Database).
• Availability zones are created by using one or more datacenters. There's a minimum of three
zones within a single region. It's possible that a large disaster could cause an outage big
enough to affect even two datacenters. That's why Azure also creates region pairs.
Each Azure region is always paired with another region within the same geography (such as US,
Europe, or Asia) at least 300 miles away. This approach allows for the replication of resources (such
as VM storage) across a geography that helps reduce the likelihood of interruptions because of
events such as natural disasters, civil unrest, power outages, or physical network outages that affect
both regions at once.
The pair of regions is directly connected and far enough apart to be isolated from regional disasters.
• If an extensive Azure outage occurs, one region out of every pair is prioritized to make sure
at least one is restored as quickly as possible for applications hosted in that region pair.
• Planned Azure updates are rolled out to paired regions one region at a time to minimize
downtime and risk of application outage.
• Data continues to reside within the same geography as its pair (except for Brazil South) for
tax- and law-enforcement jurisdiction purposes.
App Service: is an HTTP-based service that enables you to build and host many types of web-based
solutions without managing infrastructure.
Azure Marketplace: is an online store that hosts applications that are certified and optimized to run
in Azure. Many types of applications are available, ranging from AI and machine learning to web
applications.
Azure Cosmos DB
• At the lowest level, Azure Cosmos DB stores data in atom-record-sequence (ARS) format.
• The data is then abstracted and projected as an API, which you specify when you're creating
your database.
• This level of flexibility means that as you migrate your company's databases to Azure
Cosmos DB, your developers can stick with the API that they're the most comfortable with.
Azure SQL Database: is a relational database based on the latest stable version of the Microsoft SQL
Server database engine. SQL Database is a high-performance, reliable, fully managed, and secure
database -> data-driven applications and websites in the programming language of your choice,
without needing to manage infrastructure.
Features:
• Fully managed service->built-in high availability, backups, and other common maintenance
operations.
• It enables you to process both relational data and non-relational structures, such as graphs,
JSON, spatial, and XML..
Migration:
• You can migrate your existing SQL Server databases with minimal downtime by using the
Azure Database Migration Service.
• The Microsoft Data Migration Assistant can generate assessment reports that provide
recommendations to help guide you through required changes prior to performing a
migration.
• The Azure Database Migration Service performs all of the required steps. You just change
the connection string in your apps.
Azure SQL Managed Instance: is a scalable cloud data service that provides the broadest SQL Server
database engine compatibility with all the benefits of a fully managed platform as a service.
Features:
• It is a platform as a service (PaaS) database engine, which means that your company
will be able to take advantage of the best features of moving your data to the cloud
in a fully-managed environment.
• Quick provisioning and service scaling features of Azure, together with automated
patching and version upgrades.
• Built-in high availability features and a 99.99% uptime service level agreement.
• Azure SQL Database and Azure SQL Managed Instance offer many of the same features,
Azure SQL Managed Instance provides several options that might not be available to Azure
SQL Database.
• Azure SQL Database only uses the default server collation SQL_Latin1_General_CP1_CI_AS
(Cyrillic characters can not be an option).
Migration:
• Easy migration: on-premises data on SQL Server to the cloud using the Azure Database
Migration Service (DMS) or native backup and restore.
• Assessment: you need to assess which on-premises SQL Server instances you can migrate to
Azure SQL Managed Instance to see if you have any blocking issues.
• Then cutover from your on-premises SQL Server to your Azure SQL Managed Instance by
changing the connection string in your applications.
• It is a relational database service in the cloud, and it's based on the MySQL Community
Edition database engine, versions 5.6, 5.7, and 8.0.
• You can use point-in-time restore to recover a server to an earlier state, as far back as 35
days..
Advantages:
• Automatic backups.
You can migrate your existing MySQL databases with minimal downtime by using the Azure
Database Migration Service.
• It is a relational database service in the cloud. The server software is based on the
community version of the open-source PostgreSQL database engine.
Advantages:
• Simple and flexible pricing. You have predictable performance based on a selected pricing
tier choice that includes software patching, automatic backups, monitoring, and security.
• Scale up or down as needed, within seconds. You can scale compute or storage
independently as needed, to make sure you adapt your service to match usage.
• Enterprise-grade security and compliance to protect sensitive data at-rest and in-motion.
This security covers data encryption on disk and SSL encryption between client and server
communication.
Single Server
• Azure Synapse Analytics, Azure HDInsight, Azure Databricks and Azure Data Lake Analytics.
Azure Synapse Analytics: is a limitless analytics service that brings together enterprise data
warehousing and big data analytics. You can query data on your terms by using either serverless or
provisioned resources at scale.
Azure HDInsight: is a fully managed, open-source analytics service for enterprises. It's a cloud service
that makes it easier, faster, and more cost-effective to process massive amounts of data. You can
run popular open-source frameworks and create cluster types such as Apache Spark, Apache
Hadoop, Apache Kafka, Apache HBase, Apache Storm, and Machine Learning Services.
Azure Databricks: helps you unlock insights from all your data and build artificial intelligence
solutions. You can set up your Apache Spark environment in minutes, and then autoscale and
collaborate on shared projects in an interactive workspace. Azure Databricks supports Python, Scala,
R, Java, and SQL.
Azure Data Lake Analytics: is an on-demand analytics job service that simplifies big data. Instead of
deploying, configuring, and tuning hardware, you write queries to transform your data and extract
valuable insights. The analytics service can handle jobs of any scale instantly by setting the dial for
how much power you need.
Azure compute
• The service supports Linux, Windows Server, SQL Server, Oracle, IBM, and SAP.
Container Instances and Azure Kubernetes Service are Azure compute resources that you can use to
deploy and manage containers. Containers are lightweight, virtualized application environments.
They're designed to be quickly created, scaled out, and stopped dynamically. You can run multiple
instances of a containerized application on a single host machine.
App Service
With Azure App Service, you can quickly build, deploy, and scale enterprise-grade web, mobile, and
API apps running on any platform. You can meet rigorous performance, scalability, security, and
compliance requirements while using a fully managed platform to perform infrastructure
maintenance. App Service is a platform as a service (PaaS) offering.
Functions
Functions are ideal when you're concerned only about the code running your service and not the
underlying platform or infrastructure. They're commonly used when you need to perform work in
response to an event (often via a REST request), timer, or message from another Azure service, and
when that work can be completed quickly, within seconds or less.
You can run single VMs for testing, development, or minor tasks.
No matter what your uptime requirements are, Azure has several features that can meet them:
• Azure Batch
Virtual machine scale sets let you create and manage a group of identical, load-balanced VMs.
Scale sets allow you to centrally manage, configure, and update a large number of VMs in minutes to
provide highly available applications. The number of VM instances can automatically increase or
decrease in response to demand or a defined schedule. With virtual machine scale sets, you can
build large-scale services for areas such as compute, big data, and container workloads.
Azure batch
• Azure Batch enables large-scale parallel and high-performance computing (HPC) batch jobs
with the ability to scale to tens, hundreds, or thousands of VMs.
• Identifies failures.
• Requeues work.
Container
• You can run multiple containers on a single physical or virtual host. Unlike virtual machines,
you don't manage the operating system for a container.
• With containers, you can quickly restart in case of a crash or hardware interruption.
• Containers are managed through a container orchestrator, which can start, stop, and scale
out application instances as needed. There are two ways to manage both Docker and
Microsoft-based containers in Azure: Azure Container Instances and Azure Kubernetes
Service (AKS).
• Azure Container Instances offers the fastest and simplest way to run a container in Azure
without having to manage any virtual machines or adopt any additional services. It's a
platform as a service (PaaS) offering that allows you to upload your containers, which it runs
for you.
• App Service enables you to build and host web apps, background jobs, mobile back-ends,
and RESTful APIs in the programming language of your choice without managing
infrastructure.
• App Service supports Windows and Linux and enables automated deployments from GitHub,
Azure DevOps, or any Git repo to support a continuous deployment model.
• The App Service plan determines how much hardware is devoted to your host. For example,
the plan determines whether it's dedicated or shared hardware and how much memory is
reserved for it. There's even a free tier you can use to host small, low-traffic sites.
Types of app services
• Web apps (ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP and Python ).
• API apps (you can build REST-based web APIs by using your choice of language and
framework).
• WebJobs (feature to run a program or script in the same context as a web app, API app, or
mobile app).
• Mobile apps (to quickly build a back end for iOS and Android apps).
App Service handles most of the infrastructure decisions you deal with in hosting web-accessible
apps:
• The built-in load balancing and traffic manager provide high availability.
Serverless computing
Problem: for a large amount of time, your application is waiting for a particular input before it
performs any processing. To reduce your costs, you want to avoid having to pay for the time that
your application is waiting for input.
• Abstraction of servers: Serverless computing abstracts the servers you run on. You never
explicitly reserve server instances. The platform manages that for you. Each function
execution can run on a different compute instance. This execution context is transparent to
the code. With serverless architecture, you deploy your code, which then runs with high
availability.
• Event-driven scale: Serverless computing is an excellent fit for workloads that respond to
incoming events. Events include triggers by:
• Timers, for example, if a function needs to run every day at 10:00 AM UTC.
• Micro-billing: With serverless computing, they pay only for the time their code runs. If no
active function executions occur, they're not charged. For example, if the code runs once a
day for two minutes, they're charged for one execution and two minutes of computing time.
• Azure Functions: Functions can execute code in almost any modern language.
• Azure Logic Apps: Logic apps are designed in a web-based designer and can execute logic
triggered by Azure services without writing any code.
Azure Functions
• Only about the code running your service, and not the underlying platform or infrastructure.
• Functions are commonly used when you need to perform work in response to an event
timer, or message from another Azure service.
• With functions, Azure runs your code when it's triggered and automatically deallocates
resources when the function is finished.
• Functions can be either stateless (they behave as if they're restarted every time they
respond to an event) or stateful (a context is passed through the function to track prior
activity).
• Logic apps are similar to functions. Both enable you to trigger logic based on an event.
• Where functions execute code, logic apps execute workflows that are designed to automate
business scenarios and are built from predefined logic blocks.
• Every Azure logic app workflow starts with a trigger, which fires when a specific event
happens or when newly available data meets specific criteria.
• Each time the trigger fires, the Logic Apps engine creates a logic app instance that runs the
actions in the workflow. The workflows are persisted as a JSON file with a known workflow
schema.
• You can also build custom connectors and workflow steps if the service you need to interact
with isn't covered.
Differences between Functions and Logic Apps
• It enables your users to use a cloud-hosted version of Windows from any location.
• It works with apps that you can use to access remote desktops and apps.
• Windows Virtual Desktop works across devices like Windows, Mac, iOS, Android, and Linux.
Virtual Desktop client: This client could either be a native application on the device or the Windows
Virtual Desktop HTML5 web client.
• User sign-in to Windows Virtual Desktop is fast because user profiles are containerized by
using FSLogix.
• You can enable multifactor authentication to secure user sign-ins. You can also secure access
to data by assigning granular role-based access controls (RBACs) to users.
• Reverse connect technology: We don't open inbound ports to the session host VMs.
• Simplified management: This standardization lets admins identify issues through a single
interface.
• Performance management: options to load balance users on your VM host pools; breadth
mode: users are sequentially allocated across the host pool for your workload; depth mode
load balancing: users are fully allocated on one VM before moving to the next.
• Buy one-year or three-year Azure Reserved Virtual Machine Instances to save you up to 72
percent versus pay-as-you-go pricing.
Azure storage
• It is a service that you can use to store files, messages, tables, and other types of
information.
• Clients such as websites, mobile apps, desktop applications, and many other types of custom
solutions can read data from and write data to Azure Storage.
• Azure Storage is also used by infrastructure as a service virtual machines, and platform as a
service cloud services.
• Disk Storage provides disks for Azure virtual machines -> similar to how they would in on-
premises scenarios.
• Disk Storage allows data to be persistently stored and accessed from an attached virtual
hard disk.
• Disks come in many different sizes and performance levels, from solid-state drives (SSDs) to
traditional spinning hard disk drives (HDDs), with varying performance tiers.
• Object storage solution for the cloud, it can store massive amounts of data, such as text or
binary data.
• A blob could contain gigabytes of binary data streamed from a scientific instrument, an
encrypted message for another application, or data in a custom format for an app you're
developing.
• It does not require developers to think about or manage disks; data is uploaded as blobs,
and Azure takes care of the physical storage needs.
Ideal for:
• Storing data for backup and restore, disaster recovery, and archiving.
• Offers fully managed file shares in the cloud that are accessible via the industry standard
Server Message Block and Network File System (preview) protocols.
• Applications running in Azure virtual machines or cloud services can mount a file storage
share to access file data.
• Any number of Azure virtual machines or roles can mount and access the file storage share
simultaneously.
• Usage: share files anywhere in the world, diagnostic data, or application data sharing.
• Many on-premises applications use file shares. Azure Files makes it easier to migrate
those applications that share data to Azure. If you mount the Azure file share to the
same drive letter that the on-premises application uses, the part of your application
that accesses the file share should work with minimal, if any, changes.
• Store configuration files on a file share and access them from multiple VMs. Tools
and utilities used by multiple developers in a group can be stored on a file share,
ensuring that everybody can find them, and that they use the same version.
• Write data to a file share, and process or analyze the data later. For example, you
might want to do this with diagnostic logs, metrics, and crash dumps.
• It's helpful to organize your data based on attributes like frequency of access and planned
retention period.
• Azure provides several access tiers, which you can use to balance your storage costs with
your access needs.
• Hot access tier: Optimized for storing data that is accessed frequently (for example,
images for your website).
• Cool access tier: Optimized for data that is infrequently accessed and stored for at
least 30 days (for example, invoices for your customers).
• Archive access tier: Appropriate for data that is rarely accessed and stored for at
least 180 days, with flexible latency requirements (for example, long-term backups).
• Only the hot and cool access tiers can be set at the account level. The archive access tier isn't
available at the account level.
• Hot, cool, and archive tiers can be set at the blob level, during upload or after upload.
• Data in the cool access tier can tolerate slightly lower availability, but still requires high
durability, retrieval latency, and throughput characteristics similar to hot data. For cool data,
a slightly lower availability service-level agreement (SLA) and higher access costs compared
to hot data are acceptable trade-offs for lower storage costs.
• Archive storage stores data offline and offers the lowest storage costs, but also the highest
costs to rehydrate and access data.
Azure virtual networks enable Azure resources, such as VMs, web apps, and databases, to
communicate with each other, with users on the internet, and with your on-premises client
computers.
• Internet communications
Key capabilities
• When you set up a virtual network, you define a private IP address space by using
either public or private IP address ranges.
Internet communications:
• A VM in Azure can connect to the internet by default. You can enable incoming
connections from the internet by defining a public IP address or a public load
balancer.
• Virtual networks: Virtual networks can connect not only VMs but other Azure
resources.
• Service endpoints: use service endpoints to connect to other Azure resource types
(Azure SQL databases and storage accounts).
• Point-to-site virtual private networks: In this case, the client computer initiates an
encrypted VPN connection to Azure to connect that computer to the Azure virtual
network.
• Site-to-site virtual private networks: A site-to-site VPN links your on-premises VPN
device or gateway to the Azure VPN gateway in a virtual network. (The connection is
encrypted)
• Route tables: allows you to define rules about how traffic should be directed. You
can create custom route tables.
• Border Gateway Protocol: Border Gateway Protocol (BGP) works with Azure VPN
gateways or ExpressRoute to propagate on-premises BGP routes to Azure virtual
networks.
• Network security groups: it is an Azure resource that can contain multiple inbound
and outbound security rules (source and destination IP address, port, and protocol)
Further settings:
• Address spaces: You can add additional address spaces to the initial definition.
Virtual networks are powerful and highly configurable mechanisms for connecting entities in Azure.
You can connect Azure resources to one another or to resources you have on-premises. You can
isolate, filter, and route your network traffic. Azure allows you to increase security where you feel
you need it.
VPN
A virtual private network (VPN) is a type of private interconnected network. VPNs use an encrypted
tunnel within another network. They're typically deployed to connect two or more trusted private
networks to one another over an untrusted network (typically the public internet). Traffic is
encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks.
VPN gateways
• You can deploy only one VPN gateway in each virtual network.
Policy-based VPNs
Policy-based VPN gateways specify statically the IP address of packets that should be encrypted
through each tunnel.
• Policy-based VPNs must be used in specific scenarios that require them, such as for
compatibility with legacy on-premises VPN devices.
Route-based VPNs
With route-based gateways, IPSec tunnels are modeled as a network interface or virtual tunnel
interface.
IP routing decides which one of these tunnel interfaces to use when sending each packet.
Use a route-based VPN gateway if you need any of the following types of connectivity:
• Point-to-site connections
• Multisite connections
• Supports IKEv2.
• Can use dynamic routing protocols, where routing/forwarding tables direct traffic to
different IPSec tunnels.
In this case, the source and destination networks aren't statically defined as they are in policy-based
VPNs or even in route-based VPNs with static routing.
Data packets are encrypted based on network routing tables that are created dynamically using
routing protocols such as Border Gateway Protocol (BGP).
Needed Azure-resources:
• Virtual network: Deploy a virtual network with enough address space for the additional
subnet that you'll need for the VPN gateway.
• Public IP address: This address provides a public-routable IP address as the target for your
on-premises VPN device.
• Local network gateway: Create a local network gateway to define the on-premises
network's configuration, such as where the VPN gateway will connect and what it will
connect to-> includes the on-premises VPN device's public IPv4 address and the on-premises
routable networks.
• Virtual network gateway: to route traffic between the virtual network and the on-premises
datacenter or other virtual networks.
• Connection: to create a logical connection between the VPN gateway and the local network
gateway.
• Layer 3 connectivity between your on-premises network and the Microsoft Cloud through a
connectivity provider. Connectivity can be from an any-to-any (IPVPN) network, a point-to-
point Ethernet connection, or through a virtual cross-connection via an Ethernet exchange.
• Connectivity to Microsoft cloud services across all regions in the geopolitical region.
• Global connectivity to Microsoft services across all regions with the ExpressRoute premium
add-on.
• Each connectivity provider uses redundant devices to ensure that connections established
with Microsoft are highly available.
• You can enable ExpressRoute Global Reach to exchange data across your on-premises sites
by connecting your ExpressRoute circuits.
• ExpressRoute uses the Border Gateway Protocol (BGP) routing protocol. BGP is used to
exchange routes between on-premises networks and resources running in Azure. This
protocol enables dynamic routing between your on-premises network and services running
in the Microsoft cloud.
• Any-to-any networks: you can integrate your wide area network (WAN) with Azure by
providing connections to your offices and datacenters. With any-to-any connections, all
WAN providers offer Layer 3 connectivity.
• Security considerations: With ExpressRoute, your data doesn't travel over the public
internet, so it's not exposed to the potential risks associated with internet communications.
ExpressRoute is a private connection from your on-premises infrastructure to your Azure
infrastructure. Even if you have an ExpressRoute connection, DNS queries, certificate
revocation list checking, and Azure Content Delivery Network requests are still sent over the
public internet.
• CloudExchange colocation
• Any-to-any connection
Artificial Intelligence
• It is a category of computing that adapts and improves its decision-making ability over time
based on its successes and failures.
• Goal: create a software system-> to adapt, or learn something on its own without being
explicitly programmed to do it.
• Deep learning system: modeled on the neural network of the human mind, enabling it to
discover, learn, and grow through experience.
• Machine learning: uses existing data to train a model, test it, and then apply the model to
new data to forecast future behaviors, outcomes, and trends.
• Virtually every device or software system that collects textual, visual, and audio data could
feed a machine learning model that makes that device or software system smarter about
how it functions in the future.
• Tools and services->allow you to connect to data to train and test models.
• After experiments you can deploy and use it in real time via a web API endpoint.
• Create a process that defines how to obtain data, how to handle missing or bad data, how to
split the data into either a training set or test set, and deliver the data to the training
process.
• Train and evaluate predictive models by using tools and programming languages familiar to
data scientists.
• Create pipelines that define where and when to run the compute-intensive experiments that
are required to score the algorithms based on the training and test data.
• It provides prebuilt machine learning models that enable applications to see, hear, speak,
understand, and even begin to reason.
• Usage: solving general problems, such as analyzing text for emotional sentiment or analyzing
images to recognize objects or faces.
• Developers access Azure Cognitive Services via APIs (these features can be built in just a few
lines of code).
• Azure Machine Learning: requires you to bring your own data and train models over that
data.
• Language services: Allow your apps to process natural language with prebuilt scripts,
evaluate sentiment, and learn how to recognize what users want.
• Speech services: Convert speech into text and text into natural-sounding speech. Translate
from one language to another and enable speaker verification and recognition.
• Vision services: Add recognition and identification capabilities when you're analyzing
pictures, videos, and other visual content.
• Decision services: Add personalized recommendations for each user that automatically
improve each time they're used, moderate content to monitor and remove offensive or risky
content, and detect abnormalities in your time series data.
• Azure Bot Service, Bot Framework: are platforms for creating virtual agents that understand
and reply to questions just like a human.
• Tasks of bots: shift simple, repetitive tasks-> taking a dinner reservation or gathering profile
information, on to automated systems.
• Users converse with a bot by using text, interactive cards, and speech.
Decision criterias
Are you building a virtual agent that interfaces with humans via natural language?
• Azure Bot Service integrates knowledge sources, natural language processing, and
form factors to allow interaction across different channels.
• Bot Service solutions usually rely on other AI services for such things as natural
language understanding or even translation.
• Integration of Power Virtual Agents and Microsoft Power Platform: you can use
hundreds of prebuilt connectors for data input.
Do you need a service that can understand the content and meaning of images, video, or audio, or
that can translate text into a different language?
• Azure Cognitive Services, general purpose, meaning that many different kinds of
customers can benefit from the work that Microsoft has already done to train and
test these models and offer them inexpensively at scale.
Do you need to predict user behavior or provide users with personalized recommendations in your
app?
Will your app predict future outcomes based on private historical data?
• Azure Machine Learning: when you need to analyze data to predict future outcomes.
Do you need to build a model by using your own data or perform a different task than those listed
above?
• Azure Machine Learning: Data scientists and AI engineers can use the tools they're
familiar with and the data you provide to develop deep learning and machine
learning models that are tuned for your particular requirements.
Will your app predict future outcomes based on private historical data?
• Azure Machine Learning: when you need to analyze data to predict future outcomes.
Do you need to build a model by using your own data or perform a different task than those listed
above?
• Azure Machine Learning: Data scientists and AI engineers can use the tools they're
familiar with and the data you provide to develop deep learning and machine
learning models that are tuned for your particular requirements.
Product options
• Software developers and operations professionals strive to create working software systems
that satisfy the needs of the organization.
• DevOps is a new approach that helps to align technical teams as they work toward common
goals.
• Aim: to expedite the release of software changes, ensure the ongoing deploy ability of the
system, and ensure that all changes meet a high quality bar.
• DevOps practices and processes touch nearly every aspect of the company, not to mention
the software development lifecycle, including planning, project management, and the
collaboration of software developers with each other and with operations and quality
assurance teams.
Azure DevOps Services: is a suite of services that address every stage of the software development
lifecycle.
• Azure Boards is an agile project management suite that includes Kanban boards,
reporting, and tracking ideas and work from high-level epics to work items and
issues.
• Azure Test Plans is an automated test tool that can be used in a CI/CD pipeline to
ensure quality before a software release.
Product options
GitHub and GitHub Actions: Github the world's most popular code repository for open-source
software. Git is a decentralized source-code management tool, GitHub is a hosted version of Git that
serves as the primary remote.
GitHub Actions enables workflow automation with triggers for many lifecycle events. One such
example would be automating a CI/CD toolchain.
GitHub
Toolchain: is a combination of software tools that aid in the delivery, development, and
management of software applications throughout a system's development lifecycle.
• The output of one tool in the toolchain is the input of the next tool in the toolchain.
• Tool functions: automated dependency updates, building and configuring the software,
delivering the build artifacts to various locations, testing.
Azure DevTest Labs: provides an automated means of managing the process of building, setting up,
and tearing down virtual machines (VMs) that contain builds of your software projects→developers
and testers can perform tests across a variety of environments and builds.
• Provisioning pre-created lab environments with their required configurations and tools
already installed is a huge time saver for quality assurance professionals and developers.
• For example: After the testing is complete, DevTest Labs can shut down and deprovision the
VM, which saves money when it's not in use.
Decision criterias
• Azure DevTest Labs, you can automate the provisioning of new labs as part of a toolchain by
using Azure Pipelines or GitHub Actions.
• Azure DevOps can publish public code repositories, GitHub has long been the preferred host
for open-source software.
Regarding source-code management and DevOps tools, what level of granularity do you need for
permissions?
• GitHub works on a simple model of read/write permissions to every feature, Azure DevOps
has a much more granular set of permissions.
Regarding source-code management and DevOps tools, how sophisticated does your project
management and reporting need to be?
• Azure DevOps is highly customizable, which allows an administrator to add custom fields to
capture metadata and other information alongside each work item. GitHub Issues → uses
tags as its primary means of helping a team categorize issues.
Regarding source-code management and DevOps tools, how tightly do you need to integrate with
third-party tools?
• It's likely that most vendors that create DevOps tools create hooks or APIs that can be used
by both Azure Pipelines and GitHub Actions. Even so, it's probably worth the effort to
validate that assumption.
Azure Advisor
Azure Advisor evaluates your Azure resources and makes recommendations to help improve
reliability, security, and performance, achieve operational excellence, and reduce costs. The
recommendation service includes suggested actions.
• Security: Used to detect threats and vulnerabilities that might lead to security
breaches.
Azure Monitor
Azure Monitor is a platform for collecting, analyzing, visualizing, and potentially taking action based
on the metric and logging data from your entire Azure and on-premises environment.
Some popular products such as Azure Application Insights, a service for sending telemetry
information from application source code to Azure, uses Azure Monitor under the hood.
Azure Service Health provides a personalized view of the health of the Azure services, regions, and
resources you rely on. Displays both major and smaller, localized issues that affect you. You can set
up alerts that help you triage outages and planned maintenance.
• Planned maintenance events can affect your availability. In the rare case that a reboot is
required, Service Health allows you to choose when to perform the maintenance to
minimize the downtime.
• Health advisories are issues that require you to act to avoid service interruption, including
service retirements and breaking changes. Health advisories are announced far in advance to
allow you to plan.
Decision criterias
Do you need to analyze how you're using Azure to reduce costs? Improve resilience? Harden your
security?
• Azure Advisor analyzes the configuration and usage of your resources and provides
suggestions on how to optimize for reliability, security, performance, costs, and operations
based on experts' best practices.
• If you want to keep tabs on Azure itself you want to choose Azure Service Health. If you
want to keep track of the performance or issues related to your specific VM or container
instances, databases, your applications, and so on, you want to visit Azure Monitor and
create reports and notifications to help you understand how your services are performing or
diagnose issues related to your Azure usage.
• Azure Monitor, when you want to measure custom events alongside other collected
telemetry data. Custom events, such as those added in the source code of your software
applications, could help identify and diagnose why your application is behaving a certain
way.
Do you need to set up alerts for outages or when autoscaling is about to deploy new instances?
• Azure Monitor
Management tools
• Visual tools: provide full, visually friendly access to all the functionality of Azure.
• Code-based tool: to quickly set up and configure Azure resources, the code that performs
setup and configuration can be stored, versioned, and maintained along with application
source code in a source code-management tool such as Git, managing hardware and cloud
resources, which developers use when they write application code, is referred to as
infrastructure as code.
• Imperative code: details each individual step that should be performed to achieve a desired
outcome.
• Declarative code: details only a desired outcome, and it allows an interpreter to decide how
to best achieve that outcome (deploying dozens or hundreds of resources simultaneously
and reliably).
The Azure mobile app: provides iOS and Android access to your Azure resources when you're away
from your computer.
• Check for alerts, quickly diagnose and fix issues, and restart a web app or virtual
machine.
• Run the Azure CLI or Azure PowerShell commands to manage your Azure resources.
Azure PowerShell: shell, can execute commands called cmdlets, These commands call the Azure
Rest API to perform every possible management task in Azure.
Cmdlets can be executed independently or combined into a script file and executed together to
orchestrate:
• ARM templates: you can describe the resources you want to use in a declarative JSON
format. The benefit is that the entire ARM template is verified before any code is executed
to ensure that the resources will be created and connected correctly. The template then
orchestrates the creation of those resources in parallel.
Decision criterias
Use either Azure PowerShell or the Azure CLI if you need to quickly obtain the IP address of a virtual
machine (VM) you've deployed, reboot a VM, or scale an app. You might want to keep custom
scripts handy on your local hard drive for certain operations that you perform occasionally. ARM
templates aren't intended for one-off scenarios, ARM templates can include PowerShell or Azure CLI
scripts.
You could perform most, if not all, management and administrative actions via the Azure portal.
Azure mobile app is the best choice when a laptop isn't readily available and you need to view and
triage issues immediately.
Do you need a way to repeatedly set up one or more resources and ensure that all the
dependencies are created in the proper order?
ARM templates, A validation step ensures that all resources can be created, so that the resources
are created in the proper order based on dependencies, in parallel, and idempotent.
It's entirely possible to use either PowerShell or the Azure CLI to set up all the resources for a
deployment →no validation step in these tools.
When you're scripting, do you come from a Windows administration or Linux administration
background?
Azure Functions
• Azure Functions you can host a single method or function by using a popular programming
language in the cloud that runs in response to an event. An example of an event might be an
HTTP request, a new message on a queue, or a message on a timer.
• Azure Functions scales automatically, and charges accrue only when a function is triggered,
These qualities make Azure Functions a solid choice when demand is variable.
• An Azure function is a stateless environment. A function behaves as if it's restarted every
time it responds to an event (is ideal for processing incoming data).
• Azure Functions can perform orchestration tasks by using an extension called Durable
Functions.
• Ideal: is ideal when you're concerned only with the code that's running your service and not
the underlying platform or infrastructure, when you need to perform work in response to an
event.
IoT
IoT enables devices to gather and then relay information for data analysis.
• Flow, level, and pressure sensors for measuring gasses and liquids
By using Azure IoT services, devices that are equipped with these kinds of sensors and that can
connect to the internet could send their sensor readings to a specific endpoint in Azure via a
message. The message's data is then collected and aggregated, and it can be converted into reports
and alerts.
The data that's collected from these devices could be combined with Azure AI services to help you
predict:
• When inventories will need to be replenished and new product ordered from vendors.
Azure IoT Hub: is a managed service that's hosted in the cloud and that acts as a central message
hub for bi-directional communication between your IoT application and the devices it manages. To
build IoT solutions with reliable and secure communications between millions of IoT devices and a
cloud-hosted solution back end.
• The IoT Hub service supports communications both from the device to the cloud and from
the cloud to the device. It also supports multiple messaging patterns, such as device-to-
cloud telemetry, file upload from devices, and request-reply methods to control your
devices from the cloud.
• You can have either manual or automated remote control of connected devices.
Azure IoT Central: builds on top of IoT Hub by adding a dashboard that allows you to connect,
monitor, and manage your IoT devices.
• Visual user interface, you can set up alerts that send notifications when a specific device
needs maintenance, you can push firmware updates to the device.
• With IoT Central, you can tailor the starter templates for the specific data that's sent from
your devices, the reports you want to see, and the alerts you want to send.
• You can use the UI to control your devices remotely, you can adjust the desired
temperature.
• Use of device templates: you can connect a device without any service-side coding, IoT
Central uses the templates to construct the dashboards, alerts, and so on.
• Device developers still need to create code to run on the devices, and that code must match
the device template specification.
Azure Sphere
Azure Sphere creates an end-to-end, highly secure IoT solution for customers that encompasses
everything from the hardware and operating system on the device to the secure method of sending
messages from the device to the message hub.
• Azure Sphere has built-in communication and security features for internet-connected
devices.
• Azure Sphere MCU - which is responsible for processing the operating system and
signals from attached sensors.
• Linux operating system - handles communication with the security service and can
run the vendor's software.
• AS3 - Its job is to make sure that the device has not been maliciously compromised,
• AS3 checks to ensure that the device hasn't been tampered with.
Security
Azure Security Center is a monitoring service that provides visibility of your security posture across
all of your services, both on Azure and on-premises.
Security posture: cybersecurity policies and controls, as well as how well you can predict, prevent,
and respond to security threats.
Functions:
• Automatically apply required security settings to new resources as they come online;
• Provide security recommendations that are based on your current configurations, resources,
and networks;
• Use machine learning to detect and block malware from being installed on your virtual
machines (VMs) and other resources. You can also use adaptive application controls to
define rules that list allowed applications to ensure that only applications you allow can run.
• Detect and analyze potential inbound attacks and investigate threats and any post-breach
activity that might have occurred;
• Provide just-in-time access control for network ports. Doing so reduces your attack surface
by ensuring that the network only allows traffic that you require at the time that you need it
to.
• Improve your security posture by providing discoverability, visibility, guidance, and control;
Threats
• Just-in-time VM access: This access blocks traffic by default to specific network ports of
virtual machines, but allows traffic for a specified time when an administrator requests and
approves it.
• Adaptive application controls: it can be controlled, which applications are allowed to run on
its virtual machines (exception rules)
• Adaptive network hardening: Security Center can monitor the internet traffic patterns of
the VMs and compare those patterns with the company's current network security group
(NSG) settings.
• File integrity monitoring: can also configure the monitoring of changes to important files on
both Windows and Linux, registry settings, applications, and other aspects that might
indicate a security attack.
With Security Center a centralized view of all of its security alerts can be got. The company can
dismiss false alerts, investigate them further, remediate alerts manually, or use an automated
response with a workflow automation.
• Workflow automation uses Azure Logic Apps and Security Center connectors. The logic app
can be triggered by a threat detection alert or by a Security Center recommendation, filtered
by name or by severity.
Azure Sentinel
Security management on a large scale can benefit from a dedicated security information and event
management (SIEM) system. A SIEM system aggregates security data from many different sources,
Azure Sentinel is Microsoft's cloud-based SIEM system.
Capabilities:
Azure Sentinel supports a number of data sources, which it can analyze for security events. These
connections are handled by built-in connectors or industry-standard log formats and APIs.
• Connect Microsoft solutions: Azure Active Directory or the Windows Defender Firewall.
• Connect other services and solutions: AWS CloudTrail, Citrix Analytics (Security), Sophos XG
Firewall, VMware Carbon Black Cloud.
• Connect industry-standard data sources: Azure Sentinel supports data from other sources
that use the Common Event Format (CEF) messaging standard, Syslog, or REST API.
Detect threats
Built in analytics use templates designed by Microsoft's team of security experts and analysts based
on known threats, common attack vectors, and escalation chains for suspicious activity. These
templates can be customized.
Custom analytics: are rules that you create to search for specific criteria within your environment.
You can preview the number of results that the query would generate (based on past log events) and
set a schedule for the query to run. You can also set an alert threshold.
When an admin chooses Block, the IP address is blocked in the firewall and the user is disabled in
Azure Active Directory. When an admin chooses Ignore, the alert is closed in Azure Sentinel and the
incident is closed in the IT ticketing system.
Azure Key Vault is a centralized cloud service for storing an application's secrets in a single, central
location. It provides secure access to sensitive information by providing access control and logging
capabilities.
• Manage secrets
Benefits:
• On Azure, virtual machines (VMs) run on shared hardware that Microsoft manages. Although
the underlying hardware is shared, your VM workloads are isolated from workloads that
other Azure customers run.
• Some organizations must follow regulatory compliance that requires them to be the only
customer using the physical machine that hosts their virtual machines.
Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and
Linux.
Benefits:
• Gives you visibility into, and control over, the server infrastructure that's running your Azure
VMs.
• Helps address compliance requirements by deploying your workloads on an isolated server.
• Lets you choose the number of processors, server capabilities, VM series, and VM sizes
within the same host.
• After a dedicated host is provisioned, Azure assigns it to the physical server in Microsoft's
cloud datacenter.
• You can provision multiple hosts in a host group and deploy your virtual machines across this
group →This feature enables you to control when regular maintenance updates occur,
within a 35-day rolling window.
You're charged per dedicated host, independent of how many virtual machines you deploy to it. The
host price is based on the VM family, type (hardware size), and region.
Software licensing, storage, and network usage are billed separately from the host and VMs.
Layers of defense
• The physical security layer is the first line of defense to protect computing hardware in the
datacenter.
• The identity and access layer controls access to infrastructure and change control.
• The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale
attacks before they can cause a denial of service for users.
• The network layer limits communication between resources through segmentation and
access controls.
• The application layer helps ensure that applications are secure and free of security
vulnerabilities.
• The data layer controls access to business and customer data that you need to protect.
Security posture
Your security posture is your organization's ability to protect from and respond to security threats.
The common principles used to define a security posture are confidentiality, integrity, and
availability, known collectively as CIA.
• Confidentiality: The principle of least privilege means restricting access to information only
to individuals explicitly granted access, at only the level that they need to perform their
work. (protection of user passwords, email content, and access levels to applications and
underlying infrastructure.)
Azure Firewall
A firewall is a network security device that monitors incoming and outgoing network traffic and
decides whether to allow or block specific traffic based on a defined set of security rules. You can
create firewall rules that specify ranges of IP addresses. Only clients granted IP addresses from
within those ranges are allowed to access the destination server
Azure Firewall: is a managed, cloud-based network security service that helps protect resources in
your Azure virtual networks.
• Stateful firewall, analyzes the complete context of a network connection, not just an
individual packet of network traffic, high availability and unrestricted cloud scalability.
• Azure Firewall provides a central location to create, enforce, and log application and
network connectivity policies across subscriptions and virtual networks.
• Azure Firewall uses a static (unchanging) public IP address→ enables outside firewalls to
identify traffic coming from your virtual network.
• The service is integrated with Azure Monitor to enable logging and analytics.
Functions:
• Application rules that define fully qualified domain names (FQDNs) that can be
accessed from a subnet.
• Network rules that define source address, protocol, destination port, and
destination address.
• Network Address Translation (NAT) rules that define destination IP addresses and
ports to translate inbound requests.
Azure Application Gateway also provides a firewall that's called the web application firewall (WAF).
WAF provides centralized, inbound protection for your web applications against common exploits
and vulnerabilities. (Azure Front Door and Azure Content Delivery Network)
Protect from DDoS attacks by using Azure DDoS Protection
DDoS attacks: A distributed denial of service attack attempts to overwhelm and exhaust an
application's resources, making the application slow or unresponsive to legitimate users. DDoS
attacks can target any resource that's publicly reachable through the internet, including websites.
Azure DDoS Protection: helps protect your Azure resources from DDoS attacks. DDoS Protection
with recommended application design practices-> provide a defense against DDoS attacks.
DDoS Protection uses the scale and elasticity of Microsoft's global network to bring DDoS mitigation
capacity to every Azure region.
• DDoS Protection can also help you manage your cloud consumption. When you run on-
premises, you have a fixed number of compute resources.
• You can automatically scale out your deployment to meet demand (elastic computing).
• DDoS Protection Standard helps ensure that the network load you process reflects customer
usage.
• You can also receive credit for any costs accrued for scaled-out resources during a DDoS
attack.
Service tiers :
• Basic: The Basic service tier is automatically enabled for free as part of your Azure
subscription.
• Standard: provides additional mitigation capabilities that are tuned specifically to Azure
Virtual Network resources, always-on traffic monitoring. Protection policies are tuned
through dedicated traffic monitoring and machine learning algorithms. Policies are applied
to public IP addresses, which are associated with resources deployed in virtual networks
such as Azure Load Balancer and Application Gateway.
• Volumetric attacks: The goal of this attack is to flood the network layer with a substantial
amount of seemingly legitimate traffic.
• Protocol attacks: These attacks render a target inaccessible by exploiting a weakness in the
layer 3 and layer 4 protocol stack.
A network security group enables you to filter network traffic to and from Azure resources within an
Azure virtual network. You can think of NSGs like an internal firewall. An NSG can contain multiple
inbound and outbound security rules that enable you to filter traffic to and from resources by source
and destination IP address, port, and protocol.
The perimeter layer is about protecting your organization's resources from network-based attacks.
• Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of
service for users.
• Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against
your network.
The focus is on limiting network connectivity across all of your resources to allow only what's
required.
• By restricting connectivity, you reduce the risk of lateral movement throughout your
network from an attack.
• Use network security groups to create rules that define allowed inbound and outbound
communication at this layer.
• Deny by default.
• Restrict inbound internet access and limit outbound where appropriate.
Combine services
You can combine Azure networking and security services to manage your network security and
provide increased layered protection.
• Network security groups and Azure Firewall : Azure Firewall complements the functionality
of network security groups. Together, they provide better defense-in-depth network
security. Network security groups provide distributed network-layer traffic filtering to limit
traffic to resources within virtual networks in each subscription. Azure Firewall is a fully
stateful, centralized network firewall as a service, provides network-level and application-
level protection across different subscriptions and virtual networks.
• Azure Application Gateway web application firewall and Azure Firewall: Web application
firewall (WAF) is a feature of Azure Application Gateway, that provides your web
applications with centralized, inbound protection against common exploits and
vulnerabilities.
• Inbound protection for non-HTTP/S protocols (for example, RDP, SSH, and FTP).
Identity
Authentication: Authentication is the process of establishing the identity of a person or service that
wants to access a resource.
Authorization: Authentication establishes the user's identity, but authorization is the process of
establishing what level of access an authenticated person or service has.
• Provides identity services that enable your users to sign in and access both Microsoft cloud
applications and cloud applications that you develop.
• Azure AD: With Azure AD, you control the identity accounts, but Microsoft ensures that the
service is available globally.
• When you secure identities on-premises with Active Directory, Microsoft doesn't monitor
sign-in attempts.
• Connecting Active Directory with Azure AD ->detecting suspicious sign-in attempts at no
extra cost.
Azure AD users
IT administrators: Administrators can use Azure AD to control access to applications and resources
based on their business requirements.
App developers: Developers can use Azure AD to provide a standards-based approach for adding
functionality to applications that they build.
Online service subscribers: Microsoft 365, Microsoft Office 365, Azure, and Microsoft Dynamics
CRM Online subscribers are already using Azure AD.
Azure AD services
• Single sign-on: SSO enables you to remember only one username and one password to
access multiple applications.
• Application management: You can manage your cloud and on-premises apps by using Azure
AD.
• Device management: Along with accounts for individual people, Azure AD supports the
registration of devices. Registration enables devices to be managed through tools like
Microsoft Intune.
Single sign-on
• Single sign-on enables a user to sign in one time and use that credential to access multiple
resources and applications from different providers.
• If a user leaves an organization, tracking down all those identities and ensuring they are
disabled can be challenging. If an identity is overlooked, this might allow access when it
should have been eliminated.
Connecting Active Directory with Azure AD enables you to provide a consistent identity experience
to your users.
There are a few ways to connect your existing Active Directory installation with Azure AD:
Multifactor authentication
Multifactor authentication is a process where a user is prompted during the sign-in process for an
additional form of identification. Examples include a code on their mobile phone or a fingerprint
scan.
• Multifactor authentication provides additional security for your identities by requiring two
or more elements to fully authenticate:
• Azure Active Directory: The Azure Active Directory free edition enables Azure AD
Multi-Factor Authentication for administrators with the global admin level of access,
via the Microsoft Authenticator app, phone call, or SMS code.
Conditional Access
• Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to
resources based on identity signals. These signals include who the user is, where the user is,
and what device the user is requesting access from.
• During sign-in, Conditional Access collects signals from the user, makes decisions based on
those signals, and then enforces that decision by allowing or denying the access request or
challenging for a multifactor authentication response.
Conditional Access is useful when you need to:
• Require users to access your application only from managed devices. A managed device is a
device that meets your standards for security and compliance
• Block access from untrusted sources, such as access from unknown or unexpected locations.
Conditional Access comes with a What If tool, which helps you plan and troubleshoot your
Conditional Access policies. You can use this tool to model your proposed Conditional Access policies
across recent sign-in attempts from your users to see what the impact would have been if those
policies had been enabled.
To use Conditional Access, you need an Azure AD Premium P1 or P2 license. If you have a Microsoft
365 Business Premium license, you also have access to Conditional Access features
The Cloud Adoption Framework for Azure provides you with proven guidance to help with your
cloud adoption journey. The Cloud Adoption Framework helps you create and implement the
business and technology strategies needed to succeed in the cloud. The Cloud Adoption Framework
consists of tools, documentation, and proven practices.
2. Make a plan.
Why you're moving to the cloud and what you want to get out of cloud migration.
You build a plan that maps your aspirational goals to specific actions.
1. Digital estate
you create a landing zone, or an environment in the cloud to begin hosting your workloads.
4. Best practices
Migrate: Here are the steps in the migrate part of this stage:
2. Migration scenarios
3. Best practices
4. Process improvements
Innovate: Here are the steps in the innovate part of this stage:
3. Best practices
4. Feedback loops
Govern and manage your cloud environments
You begin to form your cloud governance and cloud management strategies.
Govern: Here are the steps in the govern part of this stage:
1. Methodology
2. Benchmark
Manage: Here are the steps in the manage part of this stage:
Cloud center of excellence team: This team is empowered to implement governance practices from a
centralized location for the entire organization.
• Billing: You can create one billing report per subscription (Resource tags can also help).
• Access control: Every subscription is associated with an Azure Active Directory tenant. Each
tenant provides administrators the ability to set granular access through defined roles by
using Azure role-based access control.
• Subscription limits: Subscriptions also have some resource limitations. Management groups
are also available to assist with managing subscriptions. A management group manages
access, policies, and compliance across multiple Azure subscriptions.
Role-based access control is applied to a scope, which is a resource or set of resources that this
access applies to.
Scopes include:
• A single subscription.
• A resource group.
• A single resource.
Azure RBAC
• Allow one user to manage VMs in a subscription and another user to manage virtual
networks.
• Allow a user to manage all resources in a resource group, such as virtual machines, websites,
and subnets.
• Azure RBAC is enforced on any action that's initiated against an Azure resource that passes
through Azure Resource Manager. Resource Manager is a management service that provides
a way to organize and secure your cloud resources.
• Azure RBAC doesn't enforce access permissions at the application or data level.
• RBAC uses an allow model. When you're assigned a role, RBAC allows you to perform certain
actions, such as read, write, or delete.
• You can apply Azure RBAC to an individual person or to a group or other special identity
types, such as service principals and managed identities.
• IT Administrators
• Security Operations
• You manage access permissions on the Access control (IAM) pane in the Azure portal (who
has access to what scope and what roles apply).
Resource locks
A resource lock prevents resources from being accidentally deleted or changed. Think of a resource
lock as a warning system that reminds you that a resource should not be deleted or changed.
Levels of locking
Levels of locking:
• CanNotDelete: means authorized people can still read and modify a resource, but they can't
delete the resource without first removing the lock.
• ReadOnly: means authorized people can read a resource, but they can't delete or change
the resource. Applying this lock is like restricting all authorized users to the permissions
granted by the Reader role in Azure RBAC.
Using two-step process information can be deleted, Resource locks apply regardless of RBAC
permissions. Even if you're an owner of the resource, you must still remove the lock before you can
perform the blocked activity.
Azure Blueprints
To make the protection process more robust, you can combine resource locks with Azure Blueprints.
Azure Blueprints enables you to define the set of standard Azure resources that your organization
requires. Azure Blueprints can automatically replace the resource lock if that lock is removed.
Organization
One way to organize related resources is to place them in their own subscriptions. ou can also use
resource groups to manage related resources. Resource tags are another way to organize resources.
Tags provide extra information, or metadata, about your resources.
• Resource management: to locate and act on resources that are associated with specific
workloads, environments, business units, and owners.
• Governance and regulatory compliance: enable you to identify resources that align with
governance or regulatory compliance requirements.
• Workload optimization and automation: it can help you visualize all of the resources that
participate in complex deployments.
Resource tags
You can add, modify, or delete resource tags through PowerShell, the Azure CLI, Azure Resource
Manager templates, the REST API, or the Azure portal.
Azure Policy: to ensure that a resource inherits the same tags as its parent resource group and to
enforce tagging rules and conventions.
Azure Policy
Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control
or audit your resources. These policies enforce different rules and effects over your resource
configurations so that those configurations stay compliant with corporate standards.
• Azure Policy evaluates your resources and highlights resources that aren't compliant with
the policies you've created.
• Azure Policy can also prevent noncompliant resources from being created.
• In some cases, Azure Policy can automatically remediate noncompliant resources and
configurations to ensure the integrity of the state of the resources (can be integrated with
Azure DevOps).
A policy definition expresses what to evaluate and what action to take. Every policy definition has
conditions under which it's enforced. A policy definition also has an accompanying effect that takes
place when the conditions are met. Here are some example policy definitions:
• Allowed virtual machine SKUs: This policy enables you to specify a set of VM SKUs
that your organization can deploy.
• Allowed locations: to restrict the locations that your organization can specify when
it deploys resources.
• CORS should not allow every resource to access your web applications: Cross-origin
resource sharing (CORS) is an HTTP feature that enables a web application running
under one domain to access resources in another domain.
To implement your policy definitions, you assign definitions to resources. A policy assignment is a
policy definition that takes place within a specific scope. This scope could be a management group (a
collection of multiple subscriptions), a single subscription, or a resource group.
Policy assignments are inherited by all child resources within that scope.
Policy evaluation happens about once per hour. If you make changes to your policy definition and
create a policy assignment, that policy is evaluated over your resources within the hour.
An Azure Policy initiative is a way of grouping related policies into one set. The initiative definition
contains all of the policy definitions to help track your compliance state for a larger goal.
Enable Monitoring in Azure Security Center (contains over 100 separate policy definitions): to
monitor all of the available security recommendations for all Azure resource types in Azure Security
Center.
Azure Blueprint
Cloud center of excellence team can use Azure Blueprints to scale their governance practices
throughout the organization.
With Azure Blueprints, the relationship between the blueprint definition (what should be deployed)
and the blueprint assignment (what was deployed) is preserved. In other words, Azure creates a
record that associates a resource with the blueprint that defines it. This connection helps you track
and audit your deployments.
Blueprint artifacts
• Artifacts can also contain one or more parameters that you can configure.
ISO 27001
ISO 27001 is a standard that applies to the security of IT systems, published by the International
Organization for Standardization.
2. Recall that a management group manages access, policies, and compliance across
multiple Azure subscriptions. Every new Azure subscription is added to this
management group when the subscription is created.
3. Create a blueprint definition that's based on the ISO 27001: Shared Services
Blueprint template. Then publish the blueprint.
Any US state or local agency that wants to access the FBI's Criminal Justice Information Services
(CJIS) database is required to adhere to the CJIS Security Policy.
Azure is the only major cloud provider that contractually commits to conformance with the CJIS
Security Policy. Microsoft adheres to the same requirements that law enforcement and public safety
entities must meet.
Azure, Intune, and Microsoft Power BI have obtained Cloud Security Alliance (CSA) STAR
Certification, which involves a rigorous independent third-party assessment of a cloud provider's
security posture.
• Has been assessed against the STAR Capability Maturity Model for the management of
activities in CCM control areas.
Microsoft offers customers European Union (EU) Standard Contractual Clauses that provide
contractual guarantees around transfers of personal data outside of the EU.
Microsoft is the first company to receive joint approval from the EU's Article 29 Working Party that
the contractual privacy protections Azure delivers to its enterprise cloud customers meet current EU
standards for international transfers of data. Meeting this standard ensures that Azure customers
can use Microsoft services to move data freely through Microsoft's cloud, from Europe to the rest of
the world.
The Microsoft Privacy Statement explains what personal data Microsoft collects, how Microsoft uses
it, and for what purposes.
• The privacy statement covers all of Microsoft's services, websites, apps, software, servers,
and devices.
The Online Services Terms (OST) is a legal agreement between Microsoft and the customer. The OST
details the obligations by both parties with respect to the processing and security of customer data
and personal data.
The Data Protection Addendum (DPA) further defines the data processing and security terms for
online services. These terms include:
• Data Security, which includes security practices and policies, data encryption, data access,
customer responsibilities, and compliance with auditing.
Trust Center
The Trust Center showcases Microsoft's principles for maintaining data integrity in the cloud and
how Microsoft implements and supports security, privacy, compliance, and transparency in all
Microsoft cloud products and services.
• In-depth information about security, privacy, compliance offerings, policies, features, and
practices across Microsoft cloud products.
• Links to the security, privacy, and compliance blogs and upcoming events.
Azure compliance documentation
• The Azure compliance documentation provides you with detailed documentation about legal
and regulatory standards and compliance on Azure.
• Global
• US government
• Financial services
• Health
• Regional
• From the Azure compliance documentation, you can access additional compliance resources.
For example, from the Audit reports section, you find a link to audit reports for PCI DSS.
• From there, you can access several different files, including the Attestation of Compliance
reports and the PCI DSS Shared Responsibility Matrix.
• Under Compliance blueprints, you find reference blueprints, or policy definitions, for
common standards that you can apply to your Azure subscription.
• The PCI DSS blueprint deploys a core set of policies that map to PCI DSS
compliance and help you govern your Azure workloads against this standard.
Azure Government
Azure Government is a separate instance of the Microsoft Azure service. It addresses the security
and compliance needs of US federal agencies, state and local governments, and their solution
providers. Azure Government offers physical isolation from non-US government deployments and
provides screened US personnel.
Azure Government services handle data that is subject to certain government regulations and
requirements:
Azure Government uses physically isolated datacenters and networks located only in the US. Azure
Government customers, such as the US federal, state, and local government or their partners, are
subject to validation of eligibility. Azure Government provides the broadest compliance and Level 5
DoD approval.
• Azure China 21Vianet is operated by 21Vianet. It's a physically separated instance of cloud
services located in China. Azure China 21Vianet is independently operated and transacted by
Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly owned subsidiary of Beijing
21Vianet Broadband Data Center Co., Ltd.
• Only locally registered companies with less than 50 percent foreign investment qualify for
these permits.
• To comply with this regulation, the Azure service in China is operated by 21Vianet, based on
the technologies licensed from Microsoft.
• As the first foreign public cloud service provider offered in China in compliance with
government regulations, Azure China 21Vianet provides world-class security as discussed on
the Trust Center, as required by Chinese regulations for all systems and applications built on
its architecture.
TCO Calculator
The TCO Calculator helps you estimate the cost savings of operating your solution on Azure over
time, instead of in your on-premises datacenter.
• You enter the details of your on-premises workloads, these costs include electricity, network
maintenance, and IT labor.
• Define your workloads: you enter the specifications of your on-premises infrastructure
into the TCO Calculator, based on these four categories – Servers, Databases, Storage,
Networking
• Adjust assumptions: specify whether your current on-premises licenses are enrolled for
Software Assurance, specify whether you need to replicate your storage to another Azure
region for greater redundancy, cost assumptions across several different areas:
• View the report: Choose a time frame between one and five years. the TCO Calculator
generates a report that's based on the information you've entered.
Azure subscriptions
• Free trial
• Pay-as-you-go
• Member offers: Your existing membership to certain Microsoft products and services might
provide you with credits for your Azure account and reduced rates on Azure services, for
example: member offers are available to Visual Studio subscribers, Microsoft Partner
Network members.
Azure services
• Directly from the web: Here, you purchase Azure services directly from the Azure portal
website and pay standard prices. You're billed monthly, as a credit card payment or through
an invoice.
• Through a Cloud Solution Provider: A Cloud Solution Provider (CSP) is a Microsoft Partner
who helps you build solutions on top of Azure. Your CSP bills you for your Azure usage at a
price they determine. They also answer your support questions and escalate them to
Microsoft, as needed.
Factors
• Resource type: For example, with a storage account you specify a type (such as block blob
storage or table storage), a performance tier (standard or premium), and an access tier (hot,
cool, or archive).
• Usage meters: provision a resource->meters to track usage of that resource. Azure uses
these meters to generate a usage record that's later used to help calculate your bill. Each
meter tracks a specific type of usage. E g. meters for a single VM:
• Disk size and amount of disk read and disk write operations.
• Resource usage: In Azure, you can delete or deallocate a VM. Deleting a VM means that you
no longer need it. Deallocating a VM means that the VM is no longer running. But the
associated hard disks and data are still kept in Azure. The VM isn't assigned to a CPU or
network in Azure's datacenter, o it doesn't generate the costs associated with compute time
or the VM's IP address. Because the disks and data are still stored, and the resource is
present in your Azure subscription, you're still billed for disk storage.
• Azure subscription types: Some Azure subscription types also include usage allowances,
which affect costs (eg. Free products).
Azure Marketplace: You can also purchase Azure-based solutions and services from third-party
vendors through Azure Marketplace.
Does location or network traffic affect cost? - When you provision a resource in Azure, you need to
define the location (known as the Azure region) of where it will be deployed.
• Zones for billing of network traffic: Bandwidth refers to data moving in and out of Azure
datacenters. Some inbound data transfers (data going into Azure datacenters) are free. For
outbound data transfers (data leaving Azure datacenters), data transfer pricing is based on
zones.
• A zone is a geographical grouping of Azure regions for billing purposes. The following zones
include some of the regions as shown here:
• Zone 1: Australia Central, West US, East US, Canada West, West Europe, France
Central, and others.
• Zone 2: Australia East, Japan West, Central India, Korea South, and others
• Zone 3: Brazil South, South Africa North, South Africa West, UAE Central, UAE North
• How can I estimate the total cost? - Azure Pricing calculator: The Pricing calculator displays
Azure products in categories. You add these categories to your estimate and configure
according to your specific requirements. You then receive a consolidated estimated price,
with a detailed breakdown of the costs associated with each resource you added to your
solution.
The options that you can configure in the Pricing calculator vary between products, but they can
include:
• Region: A region is the geographical location in which you can provision a service.
• Tier: have different levels of availability or performance and different associated costs.
• Billing options: highlight the different ways you can pay for a service.
• Support options: These options enable you to select additional support pricing options for
certain services.
• Azure Dev/Test pricing: This option lists the available prices for development and test
workloads.
Total cost
• To help you plan your solution on Azure, carefully consider the products, services, and
resources you need.
• Calculate your projected costs by using the Pricing calculator and the Total Cost of
Ownership (TCO) Calculator.
Spending limits
• If you have a free trial or a credit-based Azure subscription, you can use spending limits to
prevent accidental overrun.
• Azure resources that you deployed are removed from production and your Azure virtual
machines (VMs) are stopped and deallocated (when you spend all the credit included with
your Azure free account).
• If you have a credit-based subscription and you reach your configured spending limit, Azure
suspends your subscription until a new billing period begins.
• A related concept is quotas, or limits on the number of similar resources you can provision
within your subscription. For example, you can allocate up to 25,000 VMs per region.
Azure Cost Management + Billing is a free service that helps you understand your Azure bill, manage
your account and subscriptions, monitor and control Azure spending, and optimize resource use.
Functions of Azure Cost Management + Billing
• Reporting
• Data enrichment
• Budgets
• Alerting
• Recommendations
• To deallocate a VM means to no longer run the VM, but preserve the associated hard disks
and data in Azure.
• If you have VM workloads that are only used during certain periods, but you're running them
every hour of every day, you're wasting money. These VMs are great candidates to shut
down when not in use and start back when you need them, saving you compute costs while
the VM is deallocated.
• As you move your workloads to the cloud, a natural evolution is to start with infrastructure
as a service (IaaS) services.
• Over time, one way to reduce costs is to gradually move IaaS workloads to run on platform
as a service (PaaS) services.
• A PaaS services, such as Azure SQL Database often less expensive to run, but because they're
managed for you, you don't need to worry about software updates, security patches, or
optimizing physical storage for read and write operations.
• Choose cost-effective operating systems: Many Azure services provide a choice of running
on Windows or Linux. It's useful to compare pricing to see whether you can save money.
• Use Azure Hybrid Benefit to repurpose software licenses on Azure: If you've purchased
licenses for Windows Server or SQL Server, and your licenses are covered by Software
Assurance, you might be able to repurpose those licenses on VMs on Azure. Some of the
details vary between Windows Server or SQL Server.
• A service-level agreement (SLA) is a formal agreement between a service company and the
customer. For Azure, this agreement defines the performance standards that Microsoft
commits to for you, the customer.
• Why are SLAs important? - Understanding the SLA for each Azure service you use helps you
understand what guarantees you can expect.
SLA
• Introduction: This section explains what to expect in the SLA, including its scope and how
subscription renewals can affect the terms.
• General terms: This section contains terms that are used throughout the SLA so that both
parties (you and Microsoft) have a consistent vocabulary. It defines the general terms of the
agreement, including how to submit a claim.
• SLA details: This section defines the specific guarantees for the service. Performance
commitments are commonly measured as a percentage.
The primary performance commitment typically focuses on uptime, or the percentage of time that a
product or service is successfully operational. Some SLAs focus on other factors as well, including
latency, or how fast the service must respond to a request.
• Azure status provides a global view of the health of Azure services and regions. If you
suspect there's an outage, this is often a good place to start your investigation.
• Azure status provides an RSS feed of changes to the health of Azure services that you can
subscribe to. You can connect this feed to communication software such as Microsoft Teams
or Slack.
• From the Azure status page, you can also access Azure Service Health: provides a
personalized view of the health of the Azure services.
• Typically, you need to file a claim with Microsoft to receive a service credit. Each SLA
specifies the timeline by which you must submit your claim and when Microsoft processes
your claim.
Service credits
• A service credit is the percentage of the fees you paid that are credited back to you
according to the claim approval process.
• An SLA describes how Microsoft responds when an Azure service fails to perform to its
specification. For example, you might receive a discount on your Azure bill as compensation
when a service fails to perform according to its SLA.
• Credits typically increase as uptime decreases. Here's how credits are applied for Azure
Database for MySQL according to uptime.
Application SLA
• Tailwind Traders runs an application that it built on Azure called "Special Orders." The
application tracks special orders that customers have placed in the company's retail stores.
There are many design decisions you can make to improve the availability and resiliency of
the applications and services you build on Azure.
• Business impact
• Usage patterns: define when and how users access your application.
• There are application design considerations you can use that relate to the underlying cloud
infrastructure.
• To improve the availability of the application, avoid having any single points of failure.
• You can deploy one or more extra instances of the same virtual machine across the different
availability zones in the same Azure region. Deploying two or more instances of an Azure
virtual machine across two or more availability zones raises the virtual machine SLA to 99.99
percent. Recalculating your composite SLA above with this Virtual Machines SLA gives you an
application SLA of: 99.99%×99.99%×99.99%×99.99% =99.96%.
• To ensure high availability, you might plan for your application to have duplicate
components across several regions, known as redundancy.
• Conversely, to minimize costs during non-critical periods, you might run your application
only in a single region.
• To achieve maximum availability in your application, add redundancy to every single part of
the application. This redundancy includes the application itself, as well as the underlying
services and infrastructure.
• An SLA of 99.99 percent means 1 minute of downtime per week, it's difficult for humans to
respond to failures quickly enough to meet SLA performance targets above 99.99 percent.
Service lifecycle
• The service lifecycle defines how every Azure service is released for public use.
• Every Azure service starts in the development phase. In this phase, the Azure team collects
and defines its requirements, and begins to build the service.
• During this phase, the public can access and experiment with it so that it can provide
feedback.
• After a new Azure service is validated and tested, it's released to all customers as a
production-ready service. This is known as general availability (GA).
A company investigates moving on-premises… (fault tolerance, high availability)
You work for a small company that hosts its own web servers… (horizontal scaling / automatically
add / eliminate the cost of having an IT staff)
With SERVERLESS COMPUTING, developers deploy code and pay for its run time only, without
worrying about the provisioning, configuration and management of the underlying infrastructure.
Which cloud computing term applies to each example? (Elasticity, Fault tolerance,…)
In the Infrastructure-as-a-Service (IaaS) cloud service model, the subscriber is responsible for
management of which two components? OPERATING SYSTEM, APPLICATIONS
Match each statement about cloud services with the term it best describes (fault tolerance,
scalability…)
Match each benefit of cloud computing with its description (elasticity, scalability)
DISASTER RECOVERY is the ability to restore cloud service in the wake of a catastrophic loss
For each of the following statements about capital expenditures (CapEx) and operational
expenditures (OpEx), select Yes if the statement is true. (costs are fixed / good idea when the
demand fluctuates or is unknown / pay-as-you-go)
Your company migrates virtual machines VMs from an on-premises datacenter to Azure. (pay-per-
use / absence of upfront costs)
Which Azure resource can be deployed as Infrastructure-as-a-Service (IaaS)? VIRTUAL MACHINE
Which Azure resource can be managed as SaaS? AZURE INTERNET-OF-THINGS IOT CENTRAL
You are asked about the differences between IaaS, PaaS and SaaS (rent hardware / underlying OS /
subscribe)
You are planning to Use Azure for your company’s cloud infrastructure. (Outlook, Azure SQL, VM)
You need to deploy a serverless solution that meets the following requirements (triggered, code
runs, PostgreSQL)
Which two infrastructures are valid hybrid cloud infrastructures? PRIVATE AND PUBLIC CLOUD / ON-
PREMISES INFRASTRUCTURE AND PUBLIC CLOUD
What is a unique advantage of a public cloud over a private cloud? COSTS ARE LOWER AND SPREAD
AMOUNT MULTIPLE TENANTS
You work for a cloud solution provider. One of your company’s clients considers moving its on-
premises (public cloud, hybrid cloud, private cloud)
Which setup represents a hybrid cloud model? AN AZURE WEBJOB THAT MAKES CALLS TO THE
AZURE REPRESENTATIONAL STATE TRANSFER (REST) APPLICATION PROGRAM INTERFACE (API)
What is the advantage of moving your company’s infrastructure to Azure by using a public cloud
deployment model? THE COMPANY IS ABLE TO SCALE UP AS NEEDED WITH NO CAPITAL
EXPENDITURE REQUIRED
Your organization hosts its e-commerce solution on a computing infrastructure that is provided by a
third-party service provider and shared with other organizations. You only pay for the compute
power, storage, and networking resources you use. What type of cloud computing is this an example
of? PUBLIC CLOUD
CLOUD COMPUTING is the delivery of computing services such as compute power, storage,
networking, software and analytics.
Match each statement with the correct cloud model (public, private, hybrid)
Your company wants to know which deployment model would work best for them. Public, private…
Match each type of cloud computing with its description
A company is deploying a critical business application / highly available access / separate fault and
update zones..
You need to identify features of resource groups.
Which setup would qualify as an availability zone? TWO SERVERS LOCATED IN THE SAME REGION
What is the purpose of a resource group? IT SERVES AS A CONTAINER FOR AZURE RESOURCES LIKE
VIRTUAL MACHINES AND WEB APPS.
You deploy two Azure virtual machines running windows server 2016…
You work for a small college, the college has more than 250 active students (pay-as-you-go /
enterprise..)
You need to determine the number of subscriptions that you have to create based on the
requirements for each scenario.
Your company is planning to move its infrastructure to the azure cloud. You need to explain the
subscription model
What is the maximum length of time you can use the credits from an Azure free subscription before
it expires? 30 DAYS
For each of the following statements about azure subscriptions… (active directory, azure resource
groups, subscription)
Your company is reorganizing after acquiring a new company, Azure Active Directory…
You deploy a business critical solution in azure. You need to ensure that your resources are
replicated and hosted at least 200 miles away within the same geographic area… REGION PAIRS
Management groups let you organize multiple SUBSCRIPTIONS AS A SINGLE MANAGEMENT ENTITY
TO FACILITATE EASIER MANAGEMENT
Your company is considering using Linux-based Azure container Instances (ACIs) to deploy a simple
application. The application runs as a stateful application. What type of storage should you use?
AZURE FILES
Which two options can you use to connect Azure Virtual Networks VNets to each other? VNET
PEERING + VPN GATEWAYS
For each of the following statements about Azure networking (expressroute / traffic between peered
/ VNet is created within the scope of a region)
You build a new operational analytics solution in Azure using PostgreSQL as a relational database.
The estimated monthly growth of your database is 20 Gb.
You are planning to move some of your company’s application functionalities to azure cloud. You
need to determine whether to use Azure Functions or Logic Apps
In which situation would an Azure Function app be the best solution? YOU WANT TO EXECUTE
JAVASCRIPT CODE THAT SENDS A MAINTENANCE EMAIL EVERY SUNDAY EVENING
Your company is planning to build a solution for an automobile manufacturing company. Allow
vehicles to send on-board diagnostic OBD sensory and vehicle telemetry data to the cloud for
analysis. IOT CENTRAL
You need to use an Azure Big Data solution that allows you to query and transform data to extract
insights. DATA LAKE ANALYTICS
Match each description with the appropriate Azure product (machine learning studio / functions /
HDInsight)
Which Azure service provides for serverless workflow orchestration to let you integrate apps, data,
systems, and services across enterprises or organizations? LOGIC APPS
You need to analyze large volumes of streaming data being collected from the Internet of Things
(IoT) devices. HDINSIGHT
AZURE SYNAPSE ANALYTICS is a service that brings together enterprise data warehousing and Big
Data analytics.
As a site reliability engineer, you need to deploy a solution that would allow your developers to
automatically build, test, release and deploy their code. Which two platforms can you use to meet
your goal? AZURE EXPRESSROUTE, AZURE EVENT HUB
You want to build an app that can guess the age of people in provided photos, advanced computer
vision algorithms AZURE COGNITIVE SERVICES
IoT Hub is A SERVICE THAT PROVIDES FOR BI-DIRECTIONAL CONNECTIONS BETWEEN YOUR
INTERNET OF THINGS DEVICES AND AN IOT APPLICATION.
Which statement accurately describe features of Machine Learning Studio?
Your company considers using Azure DevTest Labs to help with new development activities. You
need to identify the functionality provided through DevTest Labs.
Match each description with the appropriate Azure product.
You create Azure subscription, you need to determine when you should use specific azure
management tools.
You need to use Azure Cloud Shell to manage Linux virtual machines that are already deployed..
Which Azure management tool provides a graphic interface for deploying, managing and monitoring
Azure resources? AZURE PORTAL
Which feature of Azure Monitor allows you to visually analyze telemetry data? APPLICATION
INSIGHTS
Which Azure Monitor feature sends an email to an administrator when a virtual machine is about to
exceed its usage quota for the month? SERVICE HEALTH
You need to understand Azure monitoring options, which monitoring feature should you use for
each scenario?
Which Azure service can use autoscale to add or remove resources as appropriate to minimize costs
and ensure optimum performance levels? AZURE MONITOR
Which Azure component provides information about planned maintenance and advisories such a
deprecated offerings? AZURE SERVICE HEALTH
You are going to start collecting data about your Azure infrastructure with Azure Monitor. Which
type of data collection requires you to enable diagnostics? EVENT LOGS
You recently signed up for a free Azure Subscription. Which UI elements best match the
descriptions?
Compare using Azure PowerShell and Azure CLI for Azure management.
You deploy a new Linux virtual machine and then manually adjust its configuration in Azure to meet
the requirements… Reuse it as a template in the deployment of Test and Production VMs
Azure Monitor beings collecting data AS SOON AS YOU ADD A RESOURCE TO A NEW AZURE
SUBSCRIPTION?
You need a security solution that helps provision, manage and deploy Secure Sockets
Layer/Transport Layer Security certificates. What should you use? KEY VAULT
A company is reviewing security for virtual machines deployed on its hybrid cloud. You need to
identify security features provided through Azure Security Center.
Which Azure security solution provides general security recommendations and suggests
remediations to better secure your resources? SECURITY CENTER.
Which two organization-level insights can you derive from the Regulatory Compliance dashboard of
Azure Security Center? OVERALL COMPLIANCE SCORE / NUMBER OF PASSING AND FAILING
ASSESSMENTS
Azure Advisor Integrates with AZURE SECURITY CENTER to help to prevent, detect, and respond to
threats to Azure resources.
You are planning to create a cloud solution in Azure. Which resources should you deploy?
Your Azure tenant includes an Azure Virtual Network with several internet-facing web servers
DEFENSE IN DEPTH is a strategy to implement multiple layers of security to slow down an attack and
provide early alert telemetry to act upon.
Application Security Groups ASGs let you NOT THIS ONE: ORGANIZE SIMILAR SERVERS SO YOU CAN
ACCESS
You need to understand the difference between authentication and authorization in Azure.
You plan t create an Azure subscription and take advantage of its Azure Active Directory features.
You need to choose the least expensive license for each scenario.
Which two examples best describe multi-factor authentication MFA?
- YOU RECEIVE A TEXT MESSAGE WITH A CODE AFTER YOU ENTER YOUR USERNAME AND
PASSWORD ON A MOVIE STREAMING SITE.
- YOU INSERT YOUR DEBIT CARD INTO AN ATM AND THEN ENTER YOUR PERSONAL
IDENTIFICATION NUMBER PIN TO ACCESS YOUR ACCOUNT
A company is migrating several Web apps from an on-premises private cloud deployment to Azure.
You need to determine if Azure AD will meet your authentication requirements.
A company subscribes to Azure as a platform for developing and deploying Web apps.
A company has an Azure Active Directory Premium P1 subscription. The company has a hybrid
environment that uses both Azure ASD and on-premises federated AD.
Which two options are examples of Conditional Access policies? BLOCK ACCESS BY LOCATION /
REQUIRE COMPILANT DEVICES
With SINGLE SIGN-ON SSO, users can access all needed applications without being required to
authenticate a second time.
Which of the following allows you to assign permissions to users so that they can create resources in
Azure? ROLE-BASED ACCESS CONTROL
Which statement best describes what a resource lock does to a virtual machine? IT PREVENTS THE
VM FROM BEING DELETED ?
You need to give all users in a group the ability to create and manage all types of Azure resources in
a subscription. Rights granted to the users should be kept to a minimum. Which built-in role-based
access control RBAC role should you assign to the group? CONTRIBUTOR
Your company has a new policy to be able to limit access to resources at the resource group and
resource scopes in a detailed, granular way. Access will be granted to various groups and individual
users. ROLE-BASED ACCESS CONTROL
Your company wants to ensure that it meets its internal compliance goals and that azure resources
are compliant with company standards, ongoing evaluation for compliance and identification of non-
compliant resources AZURE POLICY
You are researching the governance methodologies in Azure. Role-based access security, policies,
initiatives..
Which statement describes a benefit that is unique to Azure Government? RESOURCES IN AZURE
GOVERNMENT ARE DEPLOYED TO DATACENTERS THAT ARE SEPARATE FROM NON-GOVERNMENT
RESOURCES.
Azure Blueprints
Azure Blueprints to support rapid deployment
Which regulation addresses data protection and privacy for all individuals in the EU? GENERAL DATA
PROTECTION REGULATION GDPR
Which United States regulation addresses protecting unclassified information created by the
government and stored in non-governmental systems? NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY
Which statement describes a feature for prospective customers that is unique to Azure China? ITS
DATACENTERS ARE COMPLETELY DISCONNECTED FROM OTHER AZURE DATACENTERS.
Microsoft Trust Center IS THE AZURE INFORMATION SITE THAT CONTAINS BROAD-RANGING
SECURITY INFORMATION.
You are given approval to move your company’s web application… Azure Pricing Calculator.
Your company plans to deploy to the azure cloud three virtual machines and a load balancer.
Your company is considering moving its on-premises infrastructure to azure. Most appropriate cost
savings estimation tool.
You are planning to use Azure for a cloud solution. Most appropriate tool for different scenarios.
You need to explain Azure pricing calculator. IT ALLOWS YOU TO ESTIMATE THE MONTHLY COSTS
ASSOCIATED WITH USING SPECIFIC AZURE RESOURCES.
You move some Windows Server virtual machines from your on-premises data-center to Azure.
Azure spot pricing
A zone is geographical grouping of Azure regions used to determine billing based on DATA
TRANSFERS.
You deploy a web app and a Cosmos DB instance to Azure. 99.99 percent
You consider moving your company’s infrastructure to the azure cloud, understand the difference
between public and private preview features.
A company has a single instance Azure virtual machine deployed in the north central us region. You
need to improve the service level agreement to guarantee 99.99% availability. INSTALL AN
ADDITIONAL INSTANCE IN A DIFFERENT AVAILABILITY ZONE IN THE SAME REGION.
Based on the Microsoft Azure Lifecycle Policy, how much advance warning does Microsoft give
before retiring a guest operating system? 12 MONTHS
Which statement best describes general availability? GA REFERS TO A FULLY TESTED AND
EVALUATED…
According to microsoft’s supplemental terms, what is the primary purpose for releasing an azure
feature in public preview? TO OBTAIN CUSTOMER FEEDBACK
Which statement accurately describes preview feature service support? PREVIEWS ARE SUBJECT TO
REDUCED OR DIFFERENT SERVICE TERMS THAN GENERALLY RELEASED FEATURES.
Your company is deploying an application that relies on multiple azure services. You need to
determine the composite service level agreement for the application. On what is the composite on
SLA based? THE PRODUCT OF THE SLAS OF EACH OF THE SERVICES USED IN THE APPLICATION.
Azure service level agreement describes commitments related to uptime and connectivity for azure
services NO CHANGE
Access to preview features CAN BE CONFIGURED AT THE ORGANIZATION OR USER LEVEL ?
Which service offers a distributed network of servers that can efficiently deliver web content to
users that focuses on minimizing latency? CONTENT DELIVERY NETWORK
Public Preview:
A company deploys an app in azure shown in the original design section
Your company has multiple web properties that the customer can reach you. You would like to
create a common set of code that each of them can use to create a lead in your customer database.
Which service Azure App Service app would you use? AZURE API APP
Which service below is NOT considered a feature of Azure serverless computing? AZURE MACHINE
LEARNING
Azure policy is used to control per-user permissions in Azure and control the types of resources that
users can deploy. FALSE
What would you use if you want to avoid a resource in Azure from being modified or deleted?
RESOURCE LOCK
Your organization relies on azure services for hosting a critical application. You need 24x7 support
for your Azure services. Which of the following support plans is the most economical option that still
provides you with 24x7 support? STANDARD
At which stage of the azure service lifecycle should you consider an azure service in production?
GENERAL AVAILABILITY
Which of the following is not a method for protecting internet facing services from network attacks?
AZURE DISK ENCRYPTION