Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Full Cloud PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 128

A platform as service PaaS solution that hosts web apps in Azure provides full control of the

operating systems that host applications

NO

A platform as service PaaS solution that hosts web apps in Azure provides ability to scale the
platform automatically

YES

A platform as service PaaS solution that hosts web apps in Azure provides professional development
services to continously add features to custom applications

YES

Azure provides flexibility between capital expenditure CapEx and operational exponditure OpEx

YES

If you create two Azure virtual machines that use the B2S site, each virtual machine will always
generate the same monthly costs

NO

When an Azure virtual machine is stopped, you continue to pay storage costs associated to the
virtual machine

YES

When you are implementing a Software as a Service SaaS solution, you are responsible for

CONFIGURING THE SAAS SOLUTION

You have an on-premises network that contains several servers.


You plan to migrate all the servers to Azure.
You need to recommend a solution to ensure that some of the servers are available if a
single Azure data center goes offline for an extended period.
What should you include in the recommendation?

 A. fault tolerance
 B. elasticity
 C. scalability
 D. low latency

An organization that hosts its infrastructure IN THE PUBLIC CLOUD no longer requires a data center.
What are two characteristics of the public cloud? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.

 A. dedicated hardware
 B. unsecured connections
 C. limited storage
 D. metered pricing
 E. self-service management

When planning to migrate a public website to Azure, you must plan to

PAY MONTHLY USAGE COSTS

Your company plans to migrate all its data and resources to Azure.
The company‫ג‬€™s migration plan states that only Platform as a Service (PaaS) solutions must
be used in Azure.
You need to deploy an Azure environment that meets the company migration plan.
Solution: You create an Azure App Service and Azure SQL databases.
Does this meet the goal?

YES, Azure App Service and Azure SQL databases are examples of Azure PaaS solutions.
Therefore, this solution does meet the goal.

Your company plans to migrate all its data and resources to Azure.
The company‫ג‬€™s migration plan states that only Platform as a Service (PaaS) solutions must
be used in Azure.
You need to deploy an Azure environment that meets the company migration plan.
Solution: You create an Azure App Service and Azure virtual machines that have
Microsoft SQL Server installed.
Does this meet the goal?

NO, Azure App Service is a PaaS (Platform as a Service) service. However, Azure virtual
machines are an IaaS (Infrastructure as a Service) service. Therefore, this solution does not
meet the goal.

Your company plans to migrate all its data and resources to Azure.
The company‫ג‬€™s migration plan states that only Platform as a Service (PaaS) solutions must
be used in Azure.
You need to deploy an Azure environment that meets the company migration plan.
Solution: You create an Azure App Service and Azure Storage accounts.
Does this meet the goal?

NO, Azure App Service is a PaaS (Platform as a Service) service. However, Azure Storage
accounts are an IaaS (Infrastructure as a Service) service. Therefore, this solution does not
meet the goal.
Your company hosts an accounting application named App1 that is used by all the
customers of the company.
App1 has low usage during the first three weeks of each month and very high usage during
the last week of each month.
Which benefit of Azure Cloud Services supports cost management for this type of usage
pattern?

 A. high availability
 B. high latency
 C. elasticity
 D. load balancing

You plan to migrate a web application to Azure. The web application is accessed by external
users.
You need to recommend a cloud deployment solution to minimize the amount of
administrative effort used to manage the web application.
What should you include in the recommendation?

 A. Software as a Service (SaaS)


 B. Platform as a Service (PaaS)
 C. Infrastructure as a Service (IaaS)
 D. Database as a Service (DaaS)

Azure virtual machines INFRASTRUCTURE AS A SERVICE IAAS

Azure SQL databases PLATFORM AS A SERVICE PAAS

You have an on-premises network that contains 100 servers.


You need to recommend a solution that provides additional resources to your users. The
solution must minimize capital and operational expenditure costs.
What should you include in the recommendation?

 A. a complete migration to the public cloud


 B. an additional data center
 C. a private cloud
 D. a hybrid cloud

To achieve a hybrid cloud model, a company must always migrate from a private cloud model

NO

A company can extend the capacity of its internal network by using the public cloud

YES

In a public cloud model, only guest users at your company can access the resources in the cloud

NO
You plan to migrate several servers from an on-premises network to Azure.
What is an advantage of using a public cloud service for the servers over an on-premises
network?

 A. The public cloud is owned by the public, NOT a private corporation


 B. The public cloud is a crowd-sourcing solution that provides corporations with the
ability to enhance the cloud
 C. All public cloud resources can be freely accessed by every member of the public
 D. The public cloud is a shared entity whereby multiple corporations each use a
portion of the resources in the cloud

Azure Site Recovery provides FAULT TOLERANCE for virtual machines.

In which type of cloud model are all the hardware resources owned by a third-party and
shared between multiple tenants?

 A. private
 B. hybrid
 C. public

An Azure web app that queries an on-premises Microsoft SQL server is an example of a HYBRID cloud

You have 1,000 virtual machines hosted on the Hyper-V hosts in a data center.
You plan to migrate all the virtual machines to an Azure pay-as-you-go subscription.
You need to identify which expenditure model to use for the planned Azure solution.
Which expenditure model should you identify?

 A. operational
 B. elastic
 C. capital
 D. scalable

Match the Azure Cloud Services benefit to the correct description.

A cloud service that remains available after a failure occurs FAULT TOLERANCE

A cloud service that can be recovered after a failure occurs DISASTER RECOVERY

A cloud service that performs quickly when demand increases DYNAMIC SCALABILITY

A cloud service that can be accessed quickly from the internet LOW LATENCY
To implement a hybrid model, a company must have an internal network

NO

A company can extend the computing resources of its internal network by using a hybrid cloud

YES

In a public cloud model, only guest users at your company can access the resources in the cloud.

NO

A Platform as a service PAAS solution provides full control of operating systems that host
applications

NO

A Platform as a service PAAS solution provides additional memory to apps by changing pricing tiers

NO

A Platform as a service PAAS solution can automatically scale the number of instances

YES

Your company has an on-premises network that contains multiple servers.


The company plans to reduce the following administrative responsibilities of network
administrators:
✑ Backing up application data
✑ Replacing failed server hardware
✑ Managing physical server security
✑ Updating server operating systems
✑ Managing permissions to shared documents
The company plans to migrate several servers to Azure virtual machines.
You need to identify which administrative responsibilities will be eliminated after the planned
migration.
Which two responsibilities should you identify? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.

 A. Replacing failed server hardware


 B. Backing up application data
 C. Managing physical server security
 D. Updating server operating systems
 E. Managing permissions to shared documents

Azure Pay as you go pricing is an example of CapEx

NO
Paying electricity for our datacenter is an example of OpEx

NO

Deploying your own datacenter is an example of CapEx

YES

You plan to provision Infrastructure as a Service (IaaS) resources in Azure.


Which resource is an example of IaaS?

 A. an Azure web app


 B. an Azure virtual machine
 C. an Azure logic app
 D. an Azure SQL database

To which cloud models can you deploy physical servers?

 A. private cloud and hybrid cloud only


 B. private cloud only
 C. private cloud, hybrid cloud and public cloud
 D. hybrid cloud only

No required capital expenditure

PUBLIC CLOUD

Provides complete control over security

PRIVATE CLOUD

Provides a choice to use on-premises or cloud-based resources

HYBRID CLOUD

A company can extend a private cloud by adding its own physical servers to the public cloud

NO

To build a hybrid cloud, you must deploy resources to the public cloud

YES

A private cloud must be disconnected from the internet

NO
You have 50 virtual machines hosted on-premises and 50 virtual machines hosted in Azure.
The on-premises virtual machines and the Azure virtual machines connect to each other.
Which type of cloud model is this?

 A. hybrid
 B. private
 C. public

A platform as service PAAS solution that hosts web apps in azure provides full control of the
operating systems that host applications

NO

A platform as service PAAS solution that hosts web apps in azure can be provided with additional
memory by changing the pricing tier

YES

A platform as service PAAS solution that hosts web apps in azure can be configured to automatically
scale the number of instances based on demand

YES

Your company plans to migrate all its data and resources to Azure.
The company‫ג‬€™s migration plan states that only Platform as a Service (PaaS) solutions must
be used in Azure.
You need to deploy an Azure environment that meets the company migration plan.
Solution: You create an Azure virtual machines, Azure SQL databases, and Azure Storage
accounts.
Does this meet the goal?

 A. Yes
 B. No

Your company plans to deploy several custom applications to Azure. The applications will
provide invoicing services to the customers of the company. Each application will have
several prerequisite applications and services installed.
You need to recommend a cloud deployment solution for all the applications.
What should you recommend?

 A. Software as a Service (SaaS)


 B. Platform as a Service (PaaS)
 C. Infrastructure as a Service (laaS)

Building a data center infrastructure is an example of operational expenditure OpEx costs

NO
Monthly salaries for technical personnel are an example of operational expenditure OpEx costs

YES

Leasing software is an example of operational expenditure OpEx costs

YES

Azure Cosmos DB is an example of a PLATFORM AS A SERVICE PAAS offering.

With software as a service SaaS you must apply software updates

NO

With infrastructure as a service IAAS you must install the software that you want to use.

YES

Azure Backup is an example of platform as a service PAAS

YES

You can create a resource group inside of an other resource group

NO

An Azure virtual machine can be in multiple resource groups

NO

A resource group can contain resources from multiple azure regions

YES

You can use Availability Zones in Azure to protect Azure virtual machines from a datacenter failure.

YES

You can use Availability Zones in Azure to protect Azure virtual machines from a region failure

NO

You can use Availability Zones in Azure to protect Azure virtual machines from a datacenter failure.

YES

An Azure subscription can have multiple account administrators

NO

An Azure subscription can be managed by using a Microsoft account only.

YES
An Azure resource group can contain multiple Azure subscriptions

NO

An Azure region contains one or more data centers that are connected by using a low-
latency network.
Instructions: Review the underlined text. If it makes the statement correct, select ‫ג‬€No
change is needed‫ג‬€. If the statement is incorrect, select the answer choice that makes the
statement correct.

 A. No change is needed
 B. Is found in each country where Microsoft has a subsidiary office
 C. Can be found in every country in Europe and the Americas only
 D. Contains one or more data centers that are connected by using a high-latency
network

You plan to deploy 20 virtual machines to an Azure environment. To ensure that a virtual machine
named VM1 cannot connect to the other virtual machines, VM1 must

BE DEPLOYED TO A SEPARATE VIRTUAL NETWORK

When you need to delegate permissions to several Azure virtual machines simultaneously, you must
deploy the Azure virtual machines

TO THE SAME RESOURCE GROUP

You plan to deploy several Azure virtual machines.


You need to ensure that the services running on the virtual machines are available if a single
data center fails.
Solution: You deploy the virtual machines to two or more availability zones.
Does this meet the goal?

 A. Yes
 B. No

One of the benefits of Azure SQL Data Warehouse is that high availability is built into the
platform.
Instructions: Review the underlined text. If it makes the statement correct, select ‫ג‬€No
change is needed‫ג‬€. If the statement is incorrect, select the answer choice that makes the
statement correct.

 A. No change is needed
 B. automatic scaling
 C. data compression
 D. versioning
You plan to deploy several Azure virtual machines.
You need to ensure that the services running on the virtual machines are available if a single
data center fails.
Solution: You deploy the virtual machines to two or more regions.
Does this meet the goal?

 A. Yes
 B. No

Azure resources can only access other resources in the same resource group

NO

If you delete a resource group all the resources in the resource group will be deleted

YES

A resource group can contain resources from multiple Azure regions

YES

You plan to store 20 TB of data in Azure. The data will be accessed infrequently and
visualized by using Microsoft Power BI.
You need to recommend a storage solution for the data.
Which two solutions should you recommend? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.

 A. Azure Data Lake


 B. Azure Cosmos DB
 C. Azure SQL Data Warehouse
 D. Azure SQL Database
 E. Azure Database for PostgreSQL

You have an Azure environment that contains 10 web apps. To which URL should you
connect to manage all the Azure resources? To answer, select the appropriate options in the
answer area.

HTTPS://PORTAL.AZURE.COM

You need to identify the type of failure for which an Azure Availability Zone can be used to
protect access to Azure services.
What should you identify?

 A. a physical server failure


 B. an Azure region failure
 C. a storage failure
 D. an Azure data center failure
You plan to extend your company‫ג‬€™s network to Azure. The network contains a VPN
appliance that uses an IP address of 131.107.200.1.
You need to create an Azure resource that defines the VPN appliance in Azure.
Which Azure resource should you create? To answer, select the appropriate resource in the
answer area.

LOCAL NETWORK GATEWAYS

You typically pay only for the cloud services you use:

• Lower your operating costs

• Run your infrastructure more efficiently

• Scale as your business needs change.

Advantages of cloud computing

• Reliability: Depending on the service-level agreement that you choose, your cloud-based
applications can provide a continuous user experience with no apparent downtime even
when things go wrong.

• Scalability: Applications in the cloud can be scaled in two ways, while taking advantage of
autoscaling:

• Vertically: Computing capacity can be increased by adding RAM or CPUs to a


virtual machine.

• Horizontally: Computing capacity can be increased by adding instances of a


resource, such as adding more virtual machines to your configuration.

• Elasticity: Cloud-based applications can be configured to always have the resources they
need.

• Agility: Cloud-based resources can be deployed and configured quickly as your application
requirements change.

• Geo-distribution: Applications and data can be deployed to regional datacenters around the
globe, so your customers always have the best performance in their region.

• Disaster recovery: By taking advantage of cloud-based backup services, data replication, and
geo-distribution, you can deploy your applications with the confidence that comes from
knowing that your data is safe in the event that disaster should occur.

Cloud service models

• IaaS: A cloud provider keeps the hardware up to date, but operating system maintenance
and network configuration is left to the cloud tenant. Advantage: rapid deployment of new
compute devices, setting up a new virtual machine is considerably faster.
• PaaS: The cloud provider manages the virtual machines and networking resources, and the
cloud tenant deploys their applications into the managed hosting environment.

• SaaS: In this cloud service model, the cloud provider manages all aspects of the application
environment, such as virtual machines, networking resources, data storage, and
applications. The cloud tenant only needs to provide their data to the application managed
by the cloud provider. For example: Office 365.

Responsibilities
Serverless computing

• It enables developers to build applications faster by eliminating the need for them to
manage infrastructure.

• The cloud service provider automatically provisions, scales, and manages the infrastructure
required to run the code.

• Serverless architectures are highly scalable and event-driven. They use resources only when
a specific function or trigger occurs.

• The serverless name comes from the fact that the tasks associated with infrastructure
provisioning and management are invisible to the developer.

Deployment models for cloud computing

Public cloud: Services are offered over the public internet and available to anyone who wants to
purchase them. Cloud resources like servers and storage are owned and operated by a third-party
cloud service provider and delivered over the internet.

Private cloud: Computing resources are used exclusively by users from one business or organization.
A private cloud can be physically located at your organization's on-site datacenter. It also can be
hosted by a third-party service provider.

Hybrid cloud: This computing environment combines a public cloud and a private cloud by allowing
data and applications to be shared between them

Azure.

• Azure provides more than 100 services that enable you to do everything from running your
existing applications on virtual machines to exploring new software paradigms, such as
intelligent bots and mixed reality.

• Azure provides AI and machine-learning services that can naturally communicate with your
users through vision, hearing, and speech.

• It also provides storage solutions that dynamically grow to accommodate massive amounts
of data. Azure services enable solutions that aren't feasible without the power of the cloud.

Azure services

Compute services: Azure Virtual Machines, Azure Kubernetes Service, Azure Container Instances,
Azure Functions

Networking services: Azure Virtual Network, Azure Firewall, Azure VPN Gateway

Storage services: Azure Blob Storage, Azure File Storage, Azure Queue Storage, Azure Table Storage

Mobile back-end services

Database services: Azure Cosmos DB, Azure SQL Database


HTTP-based web services: Azure App Service, Azure Notification Hubs, Azure API Management

IoT: IoT Central, Azure IoT Hub, IoT Edge

Big Data: Azure Synapse Analytics, Azure HDInsight, Azure Databricks

AI: Azure Machine Learning szolgáltatás, Azure-ML Studio

Cognitive services: Vision, Speech, Knowledge mapping

DevOps: Azure DevOps, Azure DevTest Labs

Consumption-based model

End users only pay for the resources that they use. Whatever they use is what they pay for.

Advantages:

• No upfront costs.

• No need to purchase and manage costly infrastructure that users might not use to its
fullest.

• The ability to pay for additional resources when they are needed.

• The ability to stop paying for resources that are no longer needed.

Costs

Capital Expenditure (CapEx) is the up-front spending of money on physical infrastructure, and then
deducting that up-front expense over time. The up-front cost from CapEx has a value that reduces
over time.

Operational Expenditure (OpEx) is spending money on services or products now, and being billed
for them now. You can deduct this expense in the same year you spend it. There is no up-front cost,
as you pay for a service or product as you use it.

IaaS

It aims to give you complete control over the hardware that runs your application. Instead of buying
hardware, with IaaS, you rent it.

Advantages:

• No CapEx.

• Applications can be made accessible quickly, and deprovisioned whenever needed.

• The shared responsibility model applies; the user manages and maintains the
services they have provisioned, and the cloud provider manages and maintains the
cloud infrastructure.
• Organizations pay only for what they use and operate under an Operational
Expenditure (OpEx) model.

• No deep technical skills are required to deploy, use, and gain the benefits of a public
cloud.

• IaaS is the most flexible cloud service because you have control to configure and
manage the hardware running your application.

PaaS

It aims to give you complete control over the hardware that runs your application. Instead of buying
hardware, with IaaS, you rent it.

Advantages:

• No CapEx.

• PaaS is more agile than IaaS, and users don't need to configure servers for running
applications.

• Users pay only for what they use, and operate under an OpEx model.

• No deep technical skills are required to deploy, use, and gain the benefits of PaaS.

• Users can focus on application development only, because the cloud provider
handles all platform management. Working with distributed teams as services is
easier because the platform is accessed over the internet. You can make the
platform available globally more easily.

Disadvantage: Platform limitations.

SaaS

SaaS is software that's centrally hosted and managed for you and your users or customers. Usually
one version of the application is used for all customers, and it's licensed through a monthly or annual
subscription.

SaaS provides the same benefits as IaaS, but again there are some additional benefits to be aware of
too.

Advantages:

• No CapEx.

• Users can provide staff with access to the latest software quickly and easily.

• Users pay for the software they use on a subscription model, typically monthly or
yearly, regardless of how much they use the software.

• No deep technical skills are required to deploy, use, and gain the benefits of SaaS.
• Users can access the same application data from anywhere.

Disadvantage: Software limitations.

Top-down hierarchy of organization

• Resources: Resources are instances of services that you create, like virtual machines,
storage, or SQL databases.

• Resource groups: Resources are combined into resource groups, which act as a logical
container into which Azure resources like web apps, databases, and storage accounts are
deployed and managed.

• Subscriptions: A subscription groups together user accounts and the resources that have
been created by those user accounts. For each subscription, there are limits or quotas on the
amount of resources that you can create and use. Organizations can use subscriptions to
manage costs and the resources that are created by users, teams, or projects.

• Management groups: These groups help you manage access, policy, and compliance for
multiple subscriptions. All subscriptions in a management group automatically inherit the
conditions applied to the management group.

Azure subscription

An account can have one subscription or multiple subscriptions that have different billing models
and to which you apply different access-management policies.

There are two types of subscription boundaries that you can use:

• Billing boundary: This subscription type determines how an Azure account is billed
for using Azure. You can create multiple subscriptions for different types of billing
requirements. Azure generates separate billing reports and invoices for each
subscription so that you can organize and manage costs.

• Access control boundary: Azure applies access-management policies at the


subscription level, and you can create separate subscriptions to reflect different
organizational structures. An example is that within a business, you have different
departments to which you apply distinct Azure subscription policies. This billing
model allows you to manage and control access to the resources that users
provision with specific subscriptions.

Create additional Azure subscriptions

• Environments: When managing your resources, you can choose to create subscriptions to
set up separate environments for development and testing, security, or to isolate data for
compliance reasons. This design is particularly useful because resource access control occurs
at the subscription level.

• Organizational structures: You can create subscriptions to reflect different organizational


structures. For example, you could limit a team to lower-cost resources, while allowing the
IT department a full range. This design allows you to manage and control access to the
resources that users provision within each subscription.

• Billing: You might want to also create additional subscriptions for billing purposes. Because
costs are first aggregated at the subscription level, you might want to create subscriptions to
manage and track costs based on your needs. For instance, you might want to create one
subscription for your production workloads and another subscription for your development
and testing workloads.

• Subscription limits: Subscriptions are bound to some hard limitations. For example, the
maximum number of Azure ExpressRoute circuits per subscription is 10.

Important facts about management groups

• 10,000 management groups can be supported in a single directory.

• A management group tree can support up to six levels of depth. This limit doesn't include
the root level or the subscription level.

• Each management group and subscription can support only one parent.

• Each management group can have many children.

• All subscriptions and management groups are within a single hierarchy in each directory.

Azure resource groups

• A resource group is a logical container for resources deployed on Azure. These resources are
anything you create in an Azure subscription like VMs, Azure Application Gateway instances,
and Azure Cosmos DB instances.

• All resources must be in a resource group, and a resource can only be a member of a single
resource group.

• Many resources can be moved between resource groups with some services having specific
limitations or requirements to move.

• Resource groups can't be nested. Before any resource can be provisioned, you need a
resource group for it to be placed in.

Logical grouping

• Resource groups exist to help manage and organize your Azure resources. By placing
resources of similar usage, type, or location in a resource group, you can provide order and
organization to resources you create in Azure. Logical grouping is the aspect that you're
most interested in here, because there's a lot of disorder among our resources.
The benefits of using Resource Manager

• Manage your infrastructure through declarative templates rather than scripts. A Resource
Manager template is a JSON file that defines what you want to deploy to Azure.

• Deploy, manage, and monitor all the resources for your solution as a group, rather than
handling these resources individually.

• Redeploy your solution throughout the development life cycle and have confidence your
resources are deployed in a consistent state.

• Define the dependencies between resources so they're deployed in the correct order.

• Apply access control to all services because RBAC is natively integrated into the
management platform.

• Apply tags to resources to logically organize all the resources in your subscription.

• Clarify your organization's billing by viewing costs for a group of resources that share the
same tag.

Azure regions

• Resources are created in regions

• different geographical locations around the globe that contain Azure datacenters.

• These specific datacenters aren't exposed to users directly. Instead, Azure organizes them
into regions.

Region: is a geographical area on the planet that contains at least one but potentially multiple
datacenters that are nearby and networked together with a low-latency network.

• Some services or VM features are only available in certain regions, such as specific VM sizes
or storage types.

• There are also some global Azure services that don't require you to select a particular region,
such as Azure Active Directory, Azure Traffic Manager, and Azure DNS.

Special Azure regions

Azure has specialized regions that you might want to use when you build out your applications for
compliance or legal purposes.

• US DoD Central, US Gov Virginia, US Gov Iowa and more: These regions are physical and
logical network-isolated instances of Azure for U.S. government agencies and partners.
These datacenters are operated by screened U.S. personnel and include additional
compliance certifications.
• China East, China North, and more: These regions are available through a unique
partnership between Microsoft and 21Vianet, whereby Microsoft doesn't directly maintain
the datacenters.

Azure availability zones

• You want to ensure your services and data are redundant so you can protect your
information in case of failure -> create duplicate hardware environments.

• Azure can help make your app highly available through availability zones.

Availability zones are physically separate datacenters within an Azure region. Each availability zone
is made up of one or more datacenters equipped with independent power, cooling, and networking.

• An availability zone is set up to be an isolation boundary. If one zone goes down, the
other continues working. Availability zones are connected through high-speed,
private fiber-optic networks.

• Availability zones are primarily for VMs, managed disks, load balancers, and SQL databases.

Azure services that support availability zones fall into two categories::

• Zonal services: You pin the resource to a specific zone (for example, VMs, managed disks, IP
addresses).

• Zone-redundant services: The platform replicates automatically across zones (for example,
zone-redundant storage, SQL Database).

Azure region pairs

• Availability zones are created by using one or more datacenters. There's a minimum of three
zones within a single region. It's possible that a large disaster could cause an outage big
enough to affect even two datacenters. That's why Azure also creates region pairs.

Each Azure region is always paired with another region within the same geography (such as US,
Europe, or Asia) at least 300 miles away. This approach allows for the replication of resources (such
as VM storage) across a geography that helps reduce the likelihood of interruptions because of
events such as natural disasters, civil unrest, power outages, or physical network outages that affect
both regions at once.

The pair of regions is directly connected and far enough apart to be isolated from regional disasters.

Additional advantages of region pairs:

• If an extensive Azure outage occurs, one region out of every pair is prioritized to make sure
at least one is restored as quickly as possible for applications hosted in that region pair.

• Planned Azure updates are rolled out to paired regions one region at a time to minimize
downtime and risk of application outage.
• Data continues to reside within the same geography as its pair (except for Brazil South) for
tax- and law-enforcement jurisdiction purposes.

Azure-terminology and concepts

App Service: is an HTTP-based service that enables you to build and host many types of web-based
solutions without managing infrastructure.

Azure Marketplace: is an online store that hosts applications that are certified and optimized to run
in Azure. Many types of applications are available, ranging from AI and machine learning to web
applications.

Azure Cosmos DB

• At the lowest level, Azure Cosmos DB stores data in atom-record-sequence (ARS) format.

• The data is then abstracted and projected as an API, which you specify when you're creating
your database.

• This level of flexibility means that as you migrate your company's databases to Azure
Cosmos DB, your developers can stick with the API that they're the most comfortable with.

Azure SQL Database: is a relational database based on the latest stable version of the Microsoft SQL
Server database engine. SQL Database is a high-performance, reliable, fully managed, and secure
database -> data-driven applications and websites in the programming language of your choice,
without needing to manage infrastructure.

Features:

• It handles most of the database management functions, such as upgrading, patching,


backups, and monitoring, without user involvement.

• SQL Database provides 99.99 percent availability.

• Fully managed service->built-in high availability, backups, and other common maintenance
operations.

• It enables you to process both relational data and non-relational structures, such as graphs,
JSON, spatial, and XML..

• Advanced query processing features->high-performance, in-memory technologies and


intelligent query processing.

Migration:

• You can migrate your existing SQL Server databases with minimal downtime by using the
Azure Database Migration Service.

• The Microsoft Data Migration Assistant can generate assessment reports that provide
recommendations to help guide you through required changes prior to performing a
migration.
• The Azure Database Migration Service performs all of the required steps. You just change
the connection string in your apps.

Azure SQL Managed Instance

Azure SQL Managed Instance: is a scalable cloud data service that provides the broadest SQL Server
database engine compatibility with all the benefits of a fully managed platform as a service.

Features:

• It is a platform as a service (PaaS) database engine, which means that your company
will be able to take advantage of the best features of moving your data to the cloud
in a fully-managed environment.

• No longer need to purchase and manage expensive hardware->won't have to


maintain the additional overhead of managing your on-premises infrastructure.

• Quick provisioning and service scaling features of Azure, together with automated
patching and version upgrades.

• Built-in high availability features and a 99.99% uptime service level agreement.

• Automated backups and a configurable backup retention period.

• Azure SQL Database and Azure SQL Managed Instance offer many of the same features,
Azure SQL Managed Instance provides several options that might not be available to Azure
SQL Database.

• Azure SQL Database only uses the default server collation SQL_Latin1_General_CP1_CI_AS
(Cyrillic characters can not be an option).

Migration:

• Easy migration: on-premises data on SQL Server to the cloud using the Azure Database
Migration Service (DMS) or native backup and restore.

• Assessment: you need to assess which on-premises SQL Server instances you can migrate to
Azure SQL Managed Instance to see if you have any blocking issues.

• Then cutover from your on-premises SQL Server to your Azure SQL Managed Instance by
changing the connection string in your applications.

Azure Database for MySQL

• It is a relational database service in the cloud, and it's based on the MySQL Community
Edition database engine, versions 5.6, 5.7, and 8.0.

• 99.99 percent availability service level agreement.

• You can use point-in-time restore to recover a server to an earlier state, as far back as 35
days..
Advantages:

• Built-in high availability with no additional cost.

• Predictable performance and inclusive, pay-as-you-go pricing.

• Scale as needed, within seconds.

• Ability to protect sensitive data at-rest and in-motion.

• Automatic backups.

• Enterprise-grade security and compliance.

You can migrate your existing MySQL databases with minimal downtime by using the Azure
Database Migration Service.

Azure Database for PostgreSQL

• It is a relational database service in the cloud. The server software is based on the
community version of the open-source PostgreSQL database engine.

Advantages:

• Built-in high availability compared to on-premises resources. There's no additional


configuration, replication, or cost required to make sure your applications are always
available.

• Simple and flexible pricing. You have predictable performance based on a selected pricing
tier choice that includes software patching, automatic backups, monitoring, and security.

• Scale up or down as needed, within seconds. You can scale compute or storage
independently as needed, to make sure you adapt your service to match usage.

• Adjustable automatic backups and point-in-time-restore for up to 35 days.

• Enterprise-grade security and compliance to protect sensitive data at-rest and in-motion.
This security covers data encryption on disk and SSL encryption between client and server
communication.

Single Server

• Built-in high availability with no additional cost (99.99 percent SLA).

• Predictable performance and inclusive, pay-as-you-go pricing.

• Vertical scale as needed, within seconds.

• Monitoring and alerting to assess your server.

• Enterprise-grade security and compliance.

• Ability to protect sensitive data at-rest and in-motion.


• Automatic backups and point-in-time-restore for up to 35 days.

Explore big data and analytics

• Azure Synapse Analytics, Azure HDInsight, Azure Databricks and Azure Data Lake Analytics.

Azure Synapse Analytics: is a limitless analytics service that brings together enterprise data
warehousing and big data analytics. You can query data on your terms by using either serverless or
provisioned resources at scale.

Azure HDInsight: is a fully managed, open-source analytics service for enterprises. It's a cloud service
that makes it easier, faster, and more cost-effective to process massive amounts of data. You can
run popular open-source frameworks and create cluster types such as Apache Spark, Apache
Hadoop, Apache Kafka, Apache HBase, Apache Storm, and Machine Learning Services.

Azure Databricks: helps you unlock insights from all your data and build artificial intelligence
solutions. You can set up your Apache Spark environment in minutes, and then autoscale and
collaborate on shared projects in an interactive workspace. Azure Databricks supports Python, Scala,
R, Java, and SQL.

Azure Data Lake Analytics: is an on-demand analytics job service that simplifies big data. Instead of
deploying, configuring, and tuning hardware, you write queries to transform your data and extract
valuable insights. The analytics service can handle jobs of any scale instantly by setting the dial for
how much power you need.

Azure compute

• Azure compute is an on-demand computing service for running cloud-based applications. It


provides computing resources such as disks, processors, memory, networking, and operating
systems.

• The service supports Linux, Windows Server, SQL Server, Oracle, IBM, and SAP.

Some of the most prominent services are:

• Azure Virtual Machines

• Azure Container Instances

• Azure App Service

• Azure Functions (or serverless computing)

Containers and Kubernetes

Container Instances and Azure Kubernetes Service are Azure compute resources that you can use to
deploy and manage containers. Containers are lightweight, virtualized application environments.
They're designed to be quickly created, scaled out, and stopped dynamically. You can run multiple
instances of a containerized application on a single host machine.
App Service

With Azure App Service, you can quickly build, deploy, and scale enterprise-grade web, mobile, and
API apps running on any platform. You can meet rigorous performance, scalability, security, and
compliance requirements while using a fully managed platform to perform infrastructure
maintenance. App Service is a platform as a service (PaaS) offering.

Functions

Functions are ideal when you're concerned only about the code running your service and not the
underlying platform or infrastructure. They're commonly used when you need to perform work in
response to an event (often via a REST request), timer, or message from another Azure service, and
when that work can be completed quickly, within seconds or less.

Azure Virtual Machines

VMs are an ideal choice when you need:

• Total control over the operating system (OS).

• The ability to run custom software.

• To use custom hosting configurations.

Examples of when to use VMs:

• During testing and development.

• When running applications in the cloud.

• When extending your datacenter to the cloud.

• During disaster recovery.

• When you move from a physical server to the cloud.

You can run single VMs for testing, development, or minor tasks.

No matter what your uptime requirements are, Azure has several features that can meet them:

• Virtual machine scale sets

• Azure Batch

Virtual machine scale sets

Virtual machine scale sets let you create and manage a group of identical, load-balanced VMs.

Scale sets allow you to centrally manage, configure, and update a large number of VMs in minutes to
provide highly available applications. The number of VM instances can automatically increase or
decrease in response to demand or a defined schedule. With virtual machine scale sets, you can
build large-scale services for areas such as compute, big data, and container workloads.
Azure batch

• Azure Batch enables large-scale parallel and high-performance computing (HPC) batch jobs
with the ability to scale to tens, hundreds, or thousands of VMs.

When you're ready to run a job, Batch does the following:

• Starts a pool of compute VMs for you.

• Installs applications and staging data.

• Runs jobs with as many tasks as you have.

• Identifies failures.

• Requeues work.

• Scales down the pool as work completes.

Container

• Containers are a virtualization environment.

• You can run multiple containers on a single physical or virtual host. Unlike virtual machines,
you don't manage the operating system for a container.

• With containers, you can quickly restart in case of a crash or hardware interruption.

• Containers are managed through a container orchestrator, which can start, stop, and scale
out application instances as needed. There are two ways to manage both Docker and
Microsoft-based containers in Azure: Azure Container Instances and Azure Kubernetes
Service (AKS).

• Azure Container Instances offers the fastest and simplest way to run a container in Azure
without having to manage any virtual machines or adopt any additional services. It's a
platform as a service (PaaS) offering that allows you to upload your containers, which it runs
for you.

Azure App Service

• App Service enables you to build and host web apps, background jobs, mobile back-ends,
and RESTful APIs in the programming language of your choice without managing
infrastructure.

• It offers automatic scaling and high availability.

• App Service supports Windows and Linux and enables automated deployments from GitHub,
Azure DevOps, or any Git repo to support a continuous deployment model.

• The App Service plan determines how much hardware is devoted to your host. For example,
the plan determines whether it's dedicated or shared hardware and how much memory is
reserved for it. There's even a free tier you can use to host small, low-traffic sites.
Types of app services

• Web apps (ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP and Python ).

• API apps (you can build REST-based web APIs by using your choice of language and
framework).

• WebJobs (feature to run a program or script in the same context as a web app, API app, or
mobile app).

• Mobile apps (to quickly build a back end for iOS and Android apps).

App Service handles most of the infrastructure decisions you deal with in hosting web-accessible
apps:

• Deployment and management are integrated into the platform.

• Endpoints can be secured.

• Sites can be scaled quickly to handle high traffic loads.

• The built-in load balancing and traffic manager provide high availability.

Serverless computing

Problem: for a large amount of time, your application is waiting for a particular input before it
performs any processing. To reduce your costs, you want to avoid having to pay for the time that
your application is waiting for input.

Serverless computing is the abstraction of servers, infrastructure, and operating systems.

• Abstraction of servers: Serverless computing abstracts the servers you run on. You never
explicitly reserve server instances. The platform manages that for you. Each function
execution can run on a different compute instance. This execution context is transparent to
the code. With serverless architecture, you deploy your code, which then runs with high
availability.

• Event-driven scale: Serverless computing is an excellent fit for workloads that respond to
incoming events. Events include triggers by:

• Timers, for example, if a function needs to run every day at 10:00 AM UTC.

• HTTP, for example, API and webhook scenarios.

• Queues, for example, with order processing.

• And much more.

• Micro-billing: With serverless computing, they pay only for the time their code runs. If no
active function executions occur, they're not charged. For example, if the code runs once a
day for two minutes, they're charged for one execution and two minutes of computing time.
• Azure Functions: Functions can execute code in almost any modern language.

• Azure Logic Apps: Logic apps are designed in a web-based designer and can execute logic
triggered by Azure services without writing any code.

Azure Functions

• Only about the code running your service, and not the underlying platform or infrastructure.

• Functions are commonly used when you need to perform work in response to an event
timer, or message from another Azure service.

• Functions scale automatically based on demand.

• With functions, Azure runs your code when it's triggered and automatically deallocates
resources when the function is finished.

• Functions can be either stateless (they behave as if they're restarted every time they
respond to an event) or stateful (a context is passed through the function to track prior
activity).

Azure Logic Apps

• Logic apps are similar to functions. Both enable you to trigger logic based on an event.

• Where functions execute code, logic apps execute workflows that are designed to automate
business scenarios and are built from predefined logic blocks.

• Every Azure logic app workflow starts with a trigger, which fires when a specific event
happens or when newly available data meets specific criteria.

• Each time the trigger fires, the Logic Apps engine creates a logic app instance that runs the
actions in the workflow. The workflows are persisted as a JSON file with a known workflow
schema.

• You can also build custom connectors and workflow steps if the service you need to interact
with isn't covered.
Differences between Functions and Logic Apps

Windows Virtual Desktop

• It is a desktop and application virtualization service that runs on the cloud.

• It enables your users to use a cloud-hosted version of Windows from any location.

• It works with apps that you can use to access remote desktops and apps.

• Windows Virtual Desktop works across devices like Windows, Mac, iOS, Android, and Linux.

Virtual Desktop client: This client could either be a native application on the device or the Windows
Virtual Desktop HTML5 web client.

• User sign-in to Windows Virtual Desktop is fast because user profiles are containerized by
using FSLogix.

• You can provide individual ownership through personal (persistent) desktops.

• You can enable multifactor authentication to secure user sign-ins. You can also secure access
to data by assigning granular role-based access controls (RBACs) to users.

• User sessions are isolated in both single and multi-session environments.

• Reverse connect technology: We don't open inbound ports to the session host VMs.

Features of Windows Virtual Desktop

• Simplified management: This standardization lets admins identify issues through a single
interface.

• Performance management: options to load balance users on your VM host pools; breadth
mode: users are sequentially allocated across the host pool for your workload; depth mode
load balancing: users are fully allocated on one VM before moving to the next.

• Multi-session Windows 10 deployment


• Windows Virtual Desktop is available to you at no additional cost if you have an eligible
Microsoft 365 license. Just pay for the Azure resources used by Windows Virtual Desktop..

• Buy one-year or three-year Azure Reserved Virtual Machine Instances to save you up to 72
percent versus pay-as-you-go pricing.

Azure storage

• It is a service that you can use to store files, messages, tables, and other types of
information.

• Clients such as websites, mobile apps, desktop applications, and many other types of custom
solutions can read data from and write data to Azure Storage.

• Azure Storage is also used by infrastructure as a service virtual machines, and platform as a
service cloud services.

Disk storage fundamentals

• Disk Storage provides disks for Azure virtual machines -> similar to how they would in on-
premises scenarios.

• Disk Storage allows data to be persistently stored and accessed from an attached virtual
hard disk.

• Disks come in many different sizes and performance levels, from solid-state drives (SSDs) to
traditional spinning hard disk drives (HDDs), with varying performance tiers.

Azure Blob Storage

• Object storage solution for the cloud, it can store massive amounts of data, such as text or
binary data.

• Unstructured->no restrictions on the kinds of data it can hold.

• It can manage thousands of simultaneous uploads, massive amounts of video data,


constantly growing log files, and can be reached from anywhere with an internet
connection.

• A blob could contain gigabytes of binary data streamed from a scientific instrument, an
encrypted message for another application, or data in a custom format for an app you're
developing.

• It does not require developers to think about or manage disks; data is uploaded as blobs,
and Azure takes care of the physical storage needs.

Ideal for:

• Serving images or documents directly to a browser.

• Storing files for distributed access.


• Streaming video and audio.

• Storing data for backup and restore, disaster recovery, and archiving.

• Storing data for analysis by an on-premises or Azure-hosted service.

• Storing up to 8 TB of data for virtual machines.

Azure Files fundamentals

• Offers fully managed file shares in the cloud that are accessible via the industry standard
Server Message Block and Network File System (preview) protocols.

• Azure file shares can be mounted concurrently by cloud or on-premises deployments of


Windows, Linux, and macOS.

• Applications running in Azure virtual machines or cloud services can mount a file storage
share to access file data.

• Any number of Azure virtual machines or roles can mount and access the file storage share
simultaneously.

• Usage: share files anywhere in the world, diagnostic data, or application data sharing.

Use Azure Files for the following situations:

• Many on-premises applications use file shares. Azure Files makes it easier to migrate
those applications that share data to Azure. If you mount the Azure file share to the
same drive letter that the on-premises application uses, the part of your application
that accesses the file share should work with minimal, if any, changes.

• Store configuration files on a file share and access them from multiple VMs. Tools
and utilities used by multiple developers in a group can be stored on a file share,
ensuring that everybody can find them, and that they use the same version.

• Write data to a file share, and process or analyze the data later. For example, you
might want to do this with diagnostic logs, metrics, and crash dumps.

Blob access tiers

• It's helpful to organize your data based on attributes like frequency of access and planned
retention period.

• Azure provides several access tiers, which you can use to balance your storage costs with
your access needs.

The available access tiers include:

• Hot access tier: Optimized for storing data that is accessed frequently (for example,
images for your website).
• Cool access tier: Optimized for data that is infrequently accessed and stored for at
least 30 days (for example, invoices for your customers).

• Archive access tier: Appropriate for data that is rarely accessed and stored for at
least 180 days, with flexible latency requirements (for example, long-term backups).

• Only the hot and cool access tiers can be set at the account level. The archive access tier isn't
available at the account level.

• Hot, cool, and archive tiers can be set at the blob level, during upload or after upload.

• Data in the cool access tier can tolerate slightly lower availability, but still requires high
durability, retrieval latency, and throughput characteristics similar to hot data. For cool data,
a slightly lower availability service-level agreement (SLA) and higher access costs compared
to hot data are acceptable trade-offs for lower storage costs.

• Archive storage stores data offline and offers the lowest storage costs, but also the highest
costs to rehydrate and access data.

Azure Virtual Network fundamentals

Azure virtual networks enable Azure resources, such as VMs, web apps, and databases, to
communicate with each other, with users on the internet, and with your on-premises client
computers.

Azure virtual networks provide the following key networking capabilities:

• Isolation and segmentation

• Internet communications

• Communicate between Azure resources

• Communicate with on-premises resources

• Route network traffic

• Filter network traffic

• Connect virtual networks

Key capabilities

Isolation and segmentation:

• Virtual Network allows you to create multiple isolated virtual networks.

• When you set up a virtual network, you define a private IP address space by using
either public or private IP address ranges.

• You can divide that IP address space into subnets.


• For name resolution-> name resolution service that's built in to Azure.

Internet communications:

• A VM in Azure can connect to the internet by default. You can enable incoming
connections from the internet by defining a public IP address or a public load
balancer.

Communicate between Azure resources:

• Virtual networks: Virtual networks can connect not only VMs but other Azure
resources.

• Service endpoints: use service endpoints to connect to other Azure resource types
(Azure SQL databases and storage accounts).

Communicate with on-premises resources:

• Point-to-site virtual private networks: In this case, the client computer initiates an
encrypted VPN connection to Azure to connect that computer to the Azure virtual
network.

• Site-to-site virtual private networks: A site-to-site VPN links your on-premises VPN
device or gateway to the Azure VPN gateway in a virtual network. (The connection is
encrypted)

• Azure ExpressRoute: provides dedicated private connectivity to Azure that doesn't


travel over the internet.

Route network traffic:

• Route tables: allows you to define rules about how traffic should be directed. You
can create custom route tables.

• Border Gateway Protocol: Border Gateway Protocol (BGP) works with Azure VPN
gateways or ExpressRoute to propagate on-premises BGP routes to Azure virtual
networks.

Filter network traffic:

• Network security groups: it is an Azure resource that can contain multiple inbound
and outbound security rules (source and destination IP address, port, and protocol)

• Network virtual appliances: A network virtual appliance is a specialized VM that can


be compared to a hardened network appliance. A network virtual appliance carries
out a particular network function, such as running a firewall or performing wide area
network (WAN) optimization.
Configure virtual networks

Further settings:

• Address spaces: You can add additional address spaces to the initial definition.

• Connected devices: Use the virtual network to connect machines.

• Subnets: You can add additional subnets.

• Peerings: Link virtual networks in peering arrangements.

Virtual networks are powerful and highly configurable mechanisms for connecting entities in Azure.
You can connect Azure resources to one another or to resources you have on-premises. You can
isolate, filter, and route your network traffic. Azure allows you to increase security where you feel
you need it.

VPN

A virtual private network (VPN) is a type of private interconnected network. VPNs use an encrypted
tunnel within another network. They're typically deployed to connect two or more trusted private
networks to one another over an untrusted network (typically the public internet). Traffic is
encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks.

VPN gateways

A VPN gateway is a type of virtual network gateway.

It enables the following connectivity:

• Connect on-premises datacenters to virtual networks through a site-to-site


connection.

• Connect individual devices to virtual networks through a point-to-site connection.

• Connect virtual networks to other virtual networks through a network-to-network


connection.

• All transferred data is encrypted in a private tunnel as it crosses the internet.

• You can deploy only one VPN gateway in each virtual network.

• VPN types: policy-based vagy route-based.

Policy-based VPNs

Policy-based VPN gateways specify statically the IP address of packets that should be encrypted
through each tunnel.

Key features of policy-based VPN gateways in Azure include:

• Support for IKEv1 only.


• Use of static routing, where combinations of address prefixes from both networks control
how traffic is encrypted and decrypted through the VPN tunnel. The source and destination
of the tunneled networks are declared in the policy and don't need to be declared in routing
tables.

• Policy-based VPNs must be used in specific scenarios that require them, such as for
compatibility with legacy on-premises VPN devices.

Route-based VPNs

With route-based gateways, IPSec tunnels are modeled as a network interface or virtual tunnel
interface.

IP routing decides which one of these tunnel interfaces to use when sending each packet.

Use a route-based VPN gateway if you need any of the following types of connectivity:

• Connections between virtual networks

• Point-to-site connections

• Multisite connections

• Coexistence with an Azure ExpressRoute gateway

Key features of route-based VPN gateways in Azure include:

• Supports IKEv2.

• Uses any-to-any (wildcard) traffic selectors.

• Can use dynamic routing protocols, where routing/forwarding tables direct traffic to
different IPSec tunnels.

In this case, the source and destination networks aren't statically defined as they are in policy-based
VPNs or even in route-based VPNs with static routing.

Data packets are encrypted based on network routing tables that are created dynamically using
routing protocols such as Border Gateway Protocol (BGP).

VPN Gateway sizes


Deploy VPN gateways

Needed Azure-resources:

• Virtual network: Deploy a virtual network with enough address space for the additional
subnet that you'll need for the VPN gateway.

• GatewaySubnet: Deploy a subnet called GatewaySubnet for the VPN gateway.

• Public IP address: This address provides a public-routable IP address as the target for your
on-premises VPN device.

• Local network gateway: Create a local network gateway to define the on-premises
network's configuration, such as where the VPN gateway will connect and what it will
connect to-> includes the on-premises VPN device's public IPv4 address and the on-premises
routable networks.

• Virtual network gateway: to route traffic between the virtual network and the on-premises
datacenter or other virtual networks.

• Connection: to create a logical connection between the VPN gateway and the local network
gateway.

Features and benefits of ExpressRoute

• Layer 3 connectivity between your on-premises network and the Microsoft Cloud through a
connectivity provider. Connectivity can be from an any-to-any (IPVPN) network, a point-to-
point Ethernet connection, or through a virtual cross-connection via an Ethernet exchange.

• Connectivity to Microsoft cloud services across all regions in the geopolitical region.

• Global connectivity to Microsoft services across all regions with the ExpressRoute premium
add-on.

• Dynamic routing between your network and Microsoft via BGP.

• Built-in redundancy in every peering location for higher reliability.

• Connection uptime SLA.

• QoS support for Skype for Business.

• Each connectivity provider uses redundant devices to ensure that connections established
with Microsoft are highly available.

• ExpressRoute enables direct access to the following services in all regions:

• Microsoft Office 365

• Microsoft Dynamics 365

• Azure compute services, such as Azure Virtual Machines


• Azure cloud services, such as Azure Cosmos DB and Azure Storage

• You can enable ExpressRoute Global Reach to exchange data across your on-premises sites
by connecting your ExpressRoute circuits.

• ExpressRoute uses the Border Gateway Protocol (BGP) routing protocol. BGP is used to
exchange routes between on-premises networks and resources running in Azure. This
protocol enables dynamic routing between your on-premises network and services running
in the Microsoft cloud.

• Colocation at a cloud exchange

• Point-to-point Ethernet connection: Point-to-point connections provide Layer 2 and Layer 3


connectivity between your on-premises site and Azure.

• Any-to-any networks: you can integrate your wide area network (WAN) with Azure by
providing connections to your offices and datacenters. With any-to-any connections, all
WAN providers offer Layer 3 connectivity.

• Security considerations: With ExpressRoute, your data doesn't travel over the public
internet, so it's not exposed to the potential risks associated with internet communications.
ExpressRoute is a private connection from your on-premises infrastructure to your Azure
infrastructure. Even if you have an ExpressRoute connection, DNS queries, certificate
revocation list checking, and Azure Content Delivery Network requests are still sent over the
public internet.

ExpressRoute connectivity models

ExpressRoute supports three models:

• CloudExchange colocation

• Point-to-point Ethernet connection

• Any-to-any connection

Artificial Intelligence

• It is a category of computing that adapts and improves its decision-making ability over time
based on its successes and failures.

• Perceive its environment.

• Goal: create a software system-> to adapt, or learn something on its own without being
explicitly programmed to do it.

• Deep learning system: modeled on the neural network of the human mind, enabling it to
discover, learn, and grow through experience.

• Machine learning: uses existing data to train a model, test it, and then apply the model to
new data to forecast future behaviors, outcomes, and trends.
• Virtually every device or software system that collects textual, visual, and audio data could
feed a machine learning model that makes that device or software system smarter about
how it functions in the future.

Azure Machine Learning

• It is a platform for making predictions.

• Tools and services->allow you to connect to data to train and test models.

• After experiments you can deploy and use it in real time via a web API endpoint.

• Create a process that defines how to obtain data, how to handle missing or bad data, how to
split the data into either a training set or test set, and deliver the data to the training
process.

• Train and evaluate predictive models by using tools and programming languages familiar to
data scientists.

• Create pipelines that define where and when to run the compute-intensive experiments that
are required to score the algorithms based on the training and test data.

• Deploy the best-performing algorithm as an API to an endpoint so it can be consumed in real


time by other applications.

Azure Cognitive Services

• It provides prebuilt machine learning models that enable applications to see, hear, speak,
understand, and even begin to reason.

• Usage: solving general problems, such as analyzing text for emotional sentiment or analyzing
images to recognize objects or faces.

• Developers access Azure Cognitive Services via APIs (these features can be built in just a few
lines of code).

• Azure Machine Learning: requires you to bring your own data and train models over that
data.

• Azure Cognitive Services: provides pretrained models.

• Language services: Allow your apps to process natural language with prebuilt scripts,
evaluate sentiment, and learn how to recognize what users want.

• Speech services: Convert speech into text and text into natural-sounding speech. Translate
from one language to another and enable speaker verification and recognition.

• Vision services: Add recognition and identification capabilities when you're analyzing
pictures, videos, and other visual content.
• Decision services: Add personalized recommendations for each user that automatically
improve each time they're used, moderate content to monitor and remove offensive or risky
content, and detect abnormalities in your time series data.

Azure Bot Service

• Azure Bot Service, Bot Framework: are platforms for creating virtual agents that understand
and reply to questions just like a human.

• Difference from the previous ones: it has a specific use case.

• It creates a virtual agent that can intelligently communicate with humans.

• Tasks of bots: shift simple, repetitive tasks-> taking a dinner reservation or gathering profile
information, on to automated systems.

• Users converse with a bot by using text, interactive cards, and speech.

Decision criterias

Are you building a virtual agent that interfaces with humans via natural language?

• Azure Bot Service integrates knowledge sources, natural language processing, and
form factors to allow interaction across different channels.

• Bot Service solutions usually rely on other AI services for such things as natural
language understanding or even translation.

• QnA Maker: to build, train, and publish a sophisticated bot.

• Integration of Power Virtual Agents and Microsoft Power Platform: you can use
hundreds of prebuilt connectors for data input.

Do you need a service that can understand the content and meaning of images, video, or audio, or
that can translate text into a different language?

• Azure Cognitive Services, general purpose, meaning that many different kinds of
customers can benefit from the work that Microsoft has already done to train and
test these models and offer them inexpensively at scale.

Do you need to predict user behavior or provide users with personalized recommendations in your
app?

• Azure Cognitive Services Personalizer: watches your users' actions within an


application, you could capture and store user behavior and create your own custom
Azure Machine Learning solution

Will your app predict future outcomes based on private historical data?

• Azure Machine Learning: when you need to analyze data to predict future outcomes.
Do you need to build a model by using your own data or perform a different task than those listed
above?

• Azure Machine Learning: Data scientists and AI engineers can use the tools they're
familiar with and the data you provide to develop deep learning and machine
learning models that are tuned for your particular requirements.

Will your app predict future outcomes based on private historical data?

• Azure Machine Learning: when you need to analyze data to predict future outcomes.

Do you need to build a model by using your own data or perform a different task than those listed
above?

• Azure Machine Learning: Data scientists and AI engineers can use the tools they're
familiar with and the data you provide to develop deep learning and machine
learning models that are tuned for your particular requirements.

Product options

• Software developers and operations professionals strive to create working software systems
that satisfy the needs of the organization.

• DevOps is a new approach that helps to align technical teams as they work toward common
goals.

• Aim: to expedite the release of software changes, ensure the ongoing deploy ability of the
system, and ensure that all changes meet a high quality bar.

• DevOps practices and processes touch nearly every aspect of the company, not to mention
the software development lifecycle, including planning, project management, and the
collaboration of software developers with each other and with operations and quality
assurance teams.

• DevOps requires a fundamental mindset change from the top down.

Azure DevOps Services

Azure DevOps Services: is a suite of services that address every stage of the software development
lifecycle.

• Azure Repos is a centralized source-code repository where software development,


DevOps engineering, and documentation professionals can publish their code for
review and collaboration.

• Azure Boards is an agile project management suite that includes Kanban boards,
reporting, and tracking ideas and work from high-level epics to work items and
issues.

• Azure Pipelines is a CI/CD pipeline automation tool.


• Azure Artifacts is a repository for hosting artifacts, such as compiled source code,
which can be fed into testing or deployment pipeline steps.

• Azure Test Plans is an automated test tool that can be used in a CI/CD pipeline to
ensure quality before a software release.

Product options

GitHub and GitHub Actions: Github the world's most popular code repository for open-source
software. Git is a decentralized source-code management tool, GitHub is a hosted version of Git that
serves as the primary remote.

It offers the following functionality:

• It's a shared source-code repository, including tools that enable developers to


perform code reviews by adding comments and questions in a web view of the
source code before it can be merged into the main code base.

• It facilitates project management, including Kanban boards.

• It supports issue reporting, discussion, and tracking.

• It features CI/CD pipeline automation tooling.

• It includes a wiki for collaborative documentation.

• It can be run from the cloud or on-premises.

GitHub Actions enables workflow automation with triggers for many lifecycle events. One such
example would be automating a CI/CD toolchain.

GitHub

Toolchain: is a combination of software tools that aid in the delivery, development, and
management of software applications throughout a system's development lifecycle.

• The output of one tool in the toolchain is the input of the next tool in the toolchain.

• Tool functions: automated dependency updates, building and configuring the software,
delivering the build artifacts to various locations, testing.

• Similarity between many GitHub and Azure DevOps features.

Azure DevTest Labs: provides an automated means of managing the process of building, setting up,
and tearing down virtual machines (VMs) that contain builds of your software projects→developers
and testers can perform tests across a variety of environments and builds.

• Provisioning pre-created lab environments with their required configurations and tools
already installed is a huge time saver for quality assurance professionals and developers.

• For example: After the testing is complete, DevTest Labs can shut down and deprovision the
VM, which saves money when it's not in use.
Decision criterias

Do you need to automate and manage test-lab creation?

• Azure DevTest Labs, you can automate the provisioning of new labs as part of a toolchain by
using Azure Pipelines or GitHub Actions.

Are you building open-source software?

• Azure DevOps can publish public code repositories, GitHub has long been the preferred host
for open-source software.

Regarding source-code management and DevOps tools, what level of granularity do you need for
permissions?

• GitHub works on a simple model of read/write permissions to every feature, Azure DevOps
has a much more granular set of permissions.

Regarding source-code management and DevOps tools, how sophisticated does your project
management and reporting need to be?

• Azure DevOps is highly customizable, which allows an administrator to add custom fields to
capture metadata and other information alongside each work item. GitHub Issues → uses
tags as its primary means of helping a team categorize issues.

Regarding source-code management and DevOps tools, how tightly do you need to integrate with
third-party tools?

• It's likely that most vendors that create DevOps tools create hooks or APIs that can be used
by both Azure Pipelines and GitHub Actions. Even so, it's probably worth the effort to
validate that assumption.

Azure Advisor

Azure Advisor evaluates your Azure resources and makes recommendations to help improve
reliability, security, and performance, achieve operational excellence, and reduce costs. The
recommendation service includes suggested actions.

The recommendations are divided into five categories:

• Reliability: Used to ensure and improve the continuity of your business-critical


applications.

• Security: Used to detect threats and vulnerabilities that might lead to security
breaches.

• Performance: Used to improve the speed of your applications.

• Cost: Used to optimize and reduce your overall Azure spending.


• Operational Excellence: Used to help you achieve process and workflow efficiency,
resource manageability, and deployment best practices.

Azure Monitor

Azure Monitor is a platform for collecting, analyzing, visualizing, and potentially taking action based
on the metric and logging data from your entire Azure and on-premises environment.

Some popular products such as Azure Application Insights, a service for sending telemetry
information from application source code to Azure, uses Azure Monitor under the hood.

Azure Service Health

Azure Service Health provides a personalized view of the health of the Azure services, regions, and
resources you rely on. Displays both major and smaller, localized issues that affect you. You can set
up alerts that help you triage outages and planned maintenance.

Service Health helps you keep an eye on several event types:

• Service issues: are problems in Azure, such as outages.

• Planned maintenance events can affect your availability. In the rare case that a reboot is
required, Service Health allows you to choose when to perform the maintenance to
minimize the downtime.

• Health advisories are issues that require you to act to avoid service interruption, including
service retirements and breaking changes. Health advisories are announced far in advance to
allow you to plan.

Decision criterias

Do you need to analyze how you're using Azure to reduce costs? Improve resilience? Harden your
security?

• Azure Advisor analyzes the configuration and usage of your resources and provides
suggestions on how to optimize for reliability, security, performance, costs, and operations
based on experts' best practices.

Do you want to monitor Azure services or your usage of Azure?

• If you want to keep tabs on Azure itself you want to choose Azure Service Health. If you
want to keep track of the performance or issues related to your specific VM or container
instances, databases, your applications, and so on, you want to visit Azure Monitor and
create reports and notifications to help you understand how your services are performing or
diagnose issues related to your Azure usage.

Do you want to measure custom events alongside other usage metrics?

• Azure Monitor, when you want to measure custom events alongside other collected
telemetry data. Custom events, such as those added in the source code of your software
applications, could help identify and diagnose why your application is behaving a certain
way.

Do you need to set up alerts for outages or when autoscaling is about to deploy new instances?

• Azure Monitor

Management tools

• Visual tools: provide full, visually friendly access to all the functionality of Azure.

• Code-based tool: to quickly set up and configure Azure resources, the code that performs
setup and configuration can be stored, versioned, and maintained along with application
source code in a source code-management tool such as Git, managing hardware and cloud
resources, which developers use when they write application code, is referred to as
infrastructure as code.

There are two approaches to infrastructure as code:

• Imperative code: details each individual step that should be performed to achieve a desired
outcome.

• Declarative code: details only a desired outcome, and it allows an interpreter to decide how
to best achieve that outcome (deploying dozens or hundreds of resources simultaneously
and reliably).

Azure Portal: you can access virtually every feature of Azure.

The Azure mobile app: provides iOS and Android access to your Azure resources when you're away
from your computer.

• Monitor the health and status of your Azure resources.

• Check for alerts, quickly diagnose and fix issues, and restart a web app or virtual
machine.

• Run the Azure CLI or Azure PowerShell commands to manage your Azure resources.

Azure PowerShell: shell, can execute commands called cmdlets, These commands call the Azure
Rest API to perform every possible management task in Azure.

Cmdlets can be executed independently or combined into a script file and executed together to
orchestrate:

• The routine setup, teardown, and maintenance of a single resource or multiple


connected resources.

• The deployment of an entire infrastructure, which might contain dozens or hundreds


of resources, from imperative code.
• Azure CLI: command-line interface is an executable program with which a developer,
DevOps professional, or IT professional can execute commands in Bash. The commands call
the Azure Rest API to perform every possible management task in Azure. The primary
difference is the syntax you use.

• ARM templates: you can describe the resources you want to use in a declarative JSON
format. The benefit is that the entire ARM template is verified before any code is executed
to ensure that the resources will be created and connected correctly. The template then
orchestrates the creation of those resources in parallel.

Decision criterias

Do you need to perform one-off management, administrative, or reporting actions?

Use either Azure PowerShell or the Azure CLI if you need to quickly obtain the IP address of a virtual
machine (VM) you've deployed, reboot a VM, or scale an app. You might want to keep custom
scripts handy on your local hard drive for certain operations that you perform occasionally. ARM
templates aren't intended for one-off scenarios, ARM templates can include PowerShell or Azure CLI
scripts.

You could perform most, if not all, management and administrative actions via the Azure portal.

Azure mobile app is the best choice when a laptop isn't readily available and you need to view and
triage issues immediately.

Do you need a way to repeatedly set up one or more resources and ensure that all the
dependencies are created in the proper order?

ARM templates, A validation step ensures that all resources can be created, so that the resources
are created in the proper order based on dependencies, in parallel, and idempotent.

It's entirely possible to use either PowerShell or the Azure CLI to set up all the resources for a
deployment →no validation step in these tools.

When you're scripting, do you come from a Windows administration or Linux administration
background?

Windows administration background →PowerShell.

Linux administration background → Azure CLI.

Azure Functions

• Azure Functions you can host a single method or function by using a popular programming
language in the cloud that runs in response to an event. An example of an event might be an
HTTP request, a new message on a queue, or a message on a timer.

• Azure Functions scales automatically, and charges accrue only when a function is triggered,
These qualities make Azure Functions a solid choice when demand is variable.
• An Azure function is a stateless environment. A function behaves as if it's restarted every
time it responds to an event (is ideal for processing incoming data).

• Azure Functions can perform orchestration tasks by using an extension called Durable
Functions.

• Ideal: is ideal when you're concerned only with the code that's running your service and not
the underlying platform or infrastructure, when you need to perform work in response to an
event.

Azure Logic Apps

• Azure Logic Apps is a low-code/no-code development platform hosted as a cloud service.


The service helps you automate and orchestrate tasks, business processes, and workflows
when you need to integrate apps, data, systems, and services across enterprises or
organizations. This solution covers app integration, data integration, system integration,
enterprise application integration (EAI), and business-to-business (B2B) integration.

• Web-based designer → without you having to write any code.

• You build an app by linking triggers to actions with connectors.

• You can choose from a growing gallery of over 200 connectors.

IoT

IoT enables devices to gather and then relay information for data analysis.

• Environmental sensors that capture temperature and humidity levels

• Barcode, QR code, or optical character recognition (OCR) scanners

• Geo-location and proximity sensors

• Light, color, and infrared sensors

• Sound and ultrasonic sensors

• Motion and touch sensors

• Accelerometer and tilt sensors

• Smoke, gas, and alcohol sensors

• Error sensors to detect when there's a problem with the device

• Mechanical sensors that detect anomalies or deformations

• Flow, level, and pressure sensors for measuring gasses and liquids

By using Azure IoT services, devices that are equipped with these kinds of sensors and that can
connect to the internet could send their sensor readings to a specific endpoint in Azure via a
message. The message's data is then collected and aggregated, and it can be converted into reports
and alerts.

The data that's collected from these devices could be combined with Azure AI services to help you
predict:

• When machines need proactive maintenance.

• When inventories will need to be replenished and new product ordered from vendors.

Azure IoT Hub

Azure IoT Hub: is a managed service that's hosted in the cloud and that acts as a central message
hub for bi-directional communication between your IoT application and the devices it manages. To
build IoT solutions with reliable and secure communications between millions of IoT devices and a
cloud-hosted solution back end.

• The IoT Hub service supports communications both from the device to the cloud and from
the cloud to the device. It also supports multiple messaging patterns, such as device-to-
cloud telemetry, file upload from devices, and request-reply methods to control your
devices from the cloud.

• You can have either manual or automated remote control of connected devices.

• Monitoring (device creation, device failures, and device connections).

Azure IoT Central

Azure IoT Central: builds on top of IoT Hub by adding a dashboard that allows you to connect,
monitor, and manage your IoT devices.

• Visual user interface, you can set up alerts that send notifications when a specific device
needs maintenance, you can push firmware updates to the device.

• Starter templates for common scenarios→customizable.

• With IoT Central, you can tailor the starter templates for the specific data that's sent from
your devices, the reports you want to see, and the alerts you want to send.

• You can use the UI to control your devices remotely, you can adjust the desired
temperature.

• Use of device templates: you can connect a device without any service-side coding, IoT
Central uses the templates to construct the dashboards, alerts, and so on.

• Device developers still need to create code to run on the devices, and that code must match
the device template specification.
Azure Sphere

Azure Sphere creates an end-to-end, highly secure IoT solution for customers that encompasses
everything from the hardware and operating system on the device to the secure method of sending
messages from the device to the message hub.

• Azure Sphere has built-in communication and security features for internet-connected
devices.

Azure Sphere comes in three parts:

• Azure Sphere MCU - which is responsible for processing the operating system and
signals from attached sensors.

• Linux operating system - handles communication with the security service and can
run the vendor's software.

• AS3 - Its job is to make sure that the device has not been maliciously compromised,

• AS3 checks to ensure that the device hasn't been tampered with.

After it has established a secure channel of

communication, AS3 pushes any OS or approved

customer-developed software updates to the device.

Security

Azure Security Center is a monitoring service that provides visibility of your security posture across
all of your services, both on Azure and on-premises.

Security posture: cybersecurity policies and controls, as well as how well you can predict, prevent,
and respond to security threats.

Azure Security Center

Functions:

• Monitor security settings across on-premises and cloud workloads;

• Automatically apply required security settings to new resources as they come online;

• Provide security recommendations that are based on your current configurations, resources,
and networks;

• Continuously monitor your resources and perform automatic security assessments to


identify potential vulnerabilities before those vulnerabilities can be exploited;

• Use machine learning to detect and block malware from being installed on your virtual
machines (VMs) and other resources. You can also use adaptive application controls to
define rules that list allowed applications to ensure that only applications you allow can run.
• Detect and analyze potential inbound attacks and investigate threats and any post-breach
activity that might have occurred;

• Provide just-in-time access control for network ports. Doing so reduces your attack surface
by ensuring that the network only allows traffic that you require at the time that you need it
to.

• Secure score: is a measurement of an organization's security posture. It is based on security


controls. Your score improves when you remediate all of the recommendations for a single
resource within a control.

Secure score helps you:

• Report on the current state of your organization's security posture;

• Improve your security posture by providing discoverability, visibility, guidance, and control;

• Compare with benchmarks and establish key performance indicators (KPIs).

Threats

• Just-in-time VM access: This access blocks traffic by default to specific network ports of
virtual machines, but allows traffic for a specified time when an administrator requests and
approves it.

• Adaptive application controls: it can be controlled, which applications are allowed to run on
its virtual machines (exception rules)

• Adaptive network hardening: Security Center can monitor the internet traffic patterns of
the VMs and compare those patterns with the company's current network security group
(NSG) settings.

• File integrity monitoring: can also configure the monitoring of changes to important files on
both Windows and Linux, registry settings, applications, and other aspects that might
indicate a security attack.

Azure Security Center

With Security Center a centralized view of all of its security alerts can be got. The company can
dismiss false alerts, investigate them further, remediate alerts manually, or use an automated
response with a workflow automation.

• Workflow automation uses Azure Logic Apps and Security Center connectors. The logic app
can be triggered by a threat detection alert or by a Security Center recommendation, filtered
by name or by severity.
Azure Sentinel

Security management on a large scale can benefit from a dedicated security information and event
management (SIEM) system. A SIEM system aggregates security data from many different sources,
Azure Sentinel is Microsoft's cloud-based SIEM system.

Capabilities:

• Collect cloud data at scale

• Detect previously undetected threats

• Investigate threats with artificial intelligence

• Respond to incidents rapidly

Connect your data sources

Azure Sentinel supports a number of data sources, which it can analyze for security events. These
connections are handled by built-in connectors or industry-standard log formats and APIs.

• Connect Microsoft solutions: Azure Active Directory or the Windows Defender Firewall.

• Connect other services and solutions: AWS CloudTrail, Citrix Analytics (Security), Sophos XG
Firewall, VMware Carbon Black Cloud.

• Connect industry-standard data sources: Azure Sentinel supports data from other sources
that use the Common Event Format (CEF) messaging standard, Syslog, or REST API.

Detect threats

Built in analytics use templates designed by Microsoft's team of security experts and analysts based
on known threats, common attack vectors, and escalation chains for suspicious activity. These
templates can be customized.

Custom analytics: are rules that you create to search for specific criteria within your environment.
You can preview the number of results that the query would generate (based on past log events) and
set a schedule for the query to run. You can also set an alert threshold.

Azure Monitor Workbooks

Automate responses to threats.

It can set an alert that looks for malicious IP addresses:

• When the alert is triggered, open a ticket in the IT ticketing system.

• Send a message to the security operations channel in Microsoft Teams or Slack to


make sure the security analysts are aware of the incident.
• Send all of the information in the alert to the senior network admin and to the
security admin. The email message includes two user option buttons: Block or
Ignore.

When an admin chooses Block, the IP address is blocked in the firewall and the user is disabled in
Azure Active Directory. When an admin chooses Ignore, the alert is closed in Azure Sentinel and the
incident is closed in the IT ticketing system.

Azure Key Vault

Azure Key Vault is a centralized cloud service for storing an application's secrets in a single, central
location. It provides secure access to sensitive information by providing access control and logging
capabilities.

Azure Key Vault can help you:

• Manage secrets

• Manage encryption keys

• Manage SSL/TLS certificates

• Store secrets backed by hardware security modules (HSMs)

Benefits:

• Centralized application secrets

• Securely stored secrets and keys

• Access monitoring and access control

• Simplified administration of application secrets

• Integration with other Azure services

Azure Dedicated Host

• On Azure, virtual machines (VMs) run on shared hardware that Microsoft manages. Although
the underlying hardware is shared, your VM workloads are isolated from workloads that
other Azure customers run.

• Some organizations must follow regulatory compliance that requires them to be the only
customer using the physical machine that hosts their virtual machines.

Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and
Linux.

Benefits:

• Gives you visibility into, and control over, the server infrastructure that's running your Azure
VMs.
• Helps address compliance requirements by deploying your workloads on an isolated server.

• Lets you choose the number of processors, server capabilities, VM series, and VM sizes
within the same host.

• After a dedicated host is provisioned, Azure assigns it to the physical server in Microsoft's
cloud datacenter.

• You can provision multiple hosts in a host group and deploy your virtual machines across this
group →This feature enables you to control when regular maintenance updates occur,
within a 35-day rolling window.

You're charged per dedicated host, independent of how many virtual machines you deploy to it. The
host price is based on the VM family, type (hardware size), and region.

Software licensing, storage, and network usage are billed separately from the host and VMs.

Layers of defense

• The physical security layer is the first line of defense to protect computing hardware in the
datacenter.

• The identity and access layer controls access to infrastructure and change control.

• The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale
attacks before they can cause a denial of service for users.

• The network layer limits communication between resources through segmentation and
access controls.

• The compute layer secures access to virtual machines.

• The application layer helps ensure that applications are secure and free of security
vulnerabilities.

• The data layer controls access to business and customer data that you need to protect.

Security posture

Your security posture is your organization's ability to protect from and respond to security threats.
The common principles used to define a security posture are confidentiality, integrity, and
availability, known collectively as CIA.

• Confidentiality: The principle of least privilege means restricting access to information only
to individuals explicitly granted access, at only the level that they need to perform their
work. (protection of user passwords, email content, and access levels to applications and
underlying infrastructure.)

• Integrity: Prevent unauthorized changes to information at rest and in transit.


• Availability: Ensure that services are functioning and can be accessed only by authorized
users. Denial-of-service attacks are designed to degrade the availability of a system,
affecting its users.

Azure Firewall

A firewall is a network security device that monitors incoming and outgoing network traffic and
decides whether to allow or block specific traffic based on a defined set of security rules. You can
create firewall rules that specify ranges of IP addresses. Only clients granted IP addresses from
within those ranges are allowed to access the destination server

Azure Firewall: is a managed, cloud-based network security service that helps protect resources in
your Azure virtual networks.

• Stateful firewall, analyzes the complete context of a network connection, not just an
individual packet of network traffic, high availability and unrestricted cloud scalability.

• Azure Firewall provides a central location to create, enforce, and log application and
network connectivity policies across subscriptions and virtual networks.

• Azure Firewall uses a static (unchanging) public IP address→ enables outside firewalls to
identify traffic coming from your virtual network.

• The service is integrated with Azure Monitor to enable logging and analytics.

Functions:

• Built-in high availability.

• Unrestricted cloud scalability.

• Inbound and outbound filtering rules.

• Inbound Destination Network Address Translation (DNAT) support.

• Azure Monitor logging.

With Azure Firewall, you can configure:

• Application rules that define fully qualified domain names (FQDNs) that can be
accessed from a subnet.

• Network rules that define source address, protocol, destination port, and
destination address.

• Network Address Translation (NAT) rules that define destination IP addresses and
ports to translate inbound requests.

Azure Application Gateway also provides a firewall that's called the web application firewall (WAF).
WAF provides centralized, inbound protection for your web applications against common exploits
and vulnerabilities. (Azure Front Door and Azure Content Delivery Network)
Protect from DDoS attacks by using Azure DDoS Protection

DDoS attacks: A distributed denial of service attack attempts to overwhelm and exhaust an
application's resources, making the application slow or unresponsive to legitimate users. DDoS
attacks can target any resource that's publicly reachable through the internet, including websites.

Azure DDoS Protection: helps protect your Azure resources from DDoS attacks. DDoS Protection
with recommended application design practices-> provide a defense against DDoS attacks.

DDoS Protection uses the scale and elasticity of Microsoft's global network to bring DDoS mitigation
capacity to every Azure region.

• DDoS Protection can also help you manage your cloud consumption. When you run on-
premises, you have a fixed number of compute resources.

• You can automatically scale out your deployment to meet demand (elastic computing).

• DDoS Protection Standard helps ensure that the network load you process reflects customer
usage.

• You can also receive credit for any costs accrued for scaled-out resources during a DDoS
attack.

Service tiers :

• Basic: The Basic service tier is automatically enabled for free as part of your Azure
subscription.

• Standard: provides additional mitigation capabilities that are tuned specifically to Azure
Virtual Network resources, always-on traffic monitoring. Protection policies are tuned
through dedicated traffic monitoring and machine learning algorithms. Policies are applied
to public IP addresses, which are associated with resources deployed in virtual networks
such as Azure Load Balancer and Application Gateway.

The Standard service tier can help prevent:

• Volumetric attacks: The goal of this attack is to flood the network layer with a substantial
amount of seemingly legitimate traffic.

• Protocol attacks: These attacks render a target inaccessible by exploiting a weakness in the
layer 3 and layer 4 protocol stack.

• Resource-layer (application-layer) attacks (only with web application firewall): These


attacks target web application packets to disrupt the transmission of data between hosts.
You need a web application firewall (WAF) to protect against L7 attacks. DDoS Protection
Standard protects the WAF from volumetric and protocol attacks.
Network security groups

A network security group enables you to filter network traffic to and from Azure resources within an
Azure virtual network. You can think of NSGs like an internal firewall. An NSG can contain multiple
inbound and outbound security rules that enable you to filter traffic to and from resources by source
and destination IP address, port, and protocol.

Secure the perimeter layer

The perimeter layer is about protecting your organization's resources from network-based attacks.

• Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of
service for users.

• Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against
your network.

Secure the network layer

The focus is on limiting network connectivity across all of your resources to allow only what's
required.

• By restricting connectivity, you reduce the risk of lateral movement throughout your
network from an attack.

• Use network security groups to create rules that define allowed inbound and outbound
communication at this layer.

Some recommended practices :

• Limit communication between resources by segmenting your network and configuring


access controls.

• Deny by default.
• Restrict inbound internet access and limit outbound where appropriate.

• Implement secure connectivity to on-premises networks.

Combine services

You can combine Azure networking and security services to manage your network security and
provide increased layered protection.

• Network security groups and Azure Firewall : Azure Firewall complements the functionality
of network security groups. Together, they provide better defense-in-depth network
security. Network security groups provide distributed network-layer traffic filtering to limit
traffic to resources within virtual networks in each subscription. Azure Firewall is a fully
stateful, centralized network firewall as a service, provides network-level and application-
level protection across different subscriptions and virtual networks.

• Azure Application Gateway web application firewall and Azure Firewall: Web application
firewall (WAF) is a feature of Azure Application Gateway, that provides your web
applications with centralized, inbound protection against common exploits and
vulnerabilities.

Azure Firewall provides :

• Inbound protection for non-HTTP/S protocols (for example, RDP, SSH, and FTP).

• Outbound network-level protection for all ports and protocols.

• Application-level protection for outbound HTTP/S.

Identity

Authentication: Authentication is the process of establishing the identity of a person or service that
wants to access a resource.

Authorization: Authentication establishes the user's identity, but authorization is the process of
establishing what level of access an authenticated person or service has.

Azure Active Directory

• Provides identity services that enable your users to sign in and access both Microsoft cloud
applications and cloud applications that you develop.

• Active Directory: Microsoft introduced Active Directory in Windows 2000 to give


organizations the ability to manage multiple on-premises infrastructure components and
systems by using a single identity per user.

• Azure AD: With Azure AD, you control the identity accounts, but Microsoft ensures that the
service is available globally.

• When you secure identities on-premises with Active Directory, Microsoft doesn't monitor
sign-in attempts.
• Connecting Active Directory with Azure AD ->detecting suspicious sign-in attempts at no
extra cost.

Azure AD users

IT administrators: Administrators can use Azure AD to control access to applications and resources
based on their business requirements.

App developers: Developers can use Azure AD to provide a standards-based approach for adding
functionality to applications that they build.

Users: Users can manage their identities.

Online service subscribers: Microsoft 365, Microsoft Office 365, Azure, and Microsoft Dynamics
CRM Online subscribers are already using Azure AD.

Azure AD services

• Authentication: az identitás ellenőrzése alkalmazások és erőforrások eléréséhez.

• Single sign-on: SSO enables you to remember only one username and one password to
access multiple applications.

• Application management: You can manage your cloud and on-premises apps by using Azure
AD.

• Device management: Along with accounts for individual people, Azure AD supports the
registration of devices. Registration enables devices to be managed through tools like
Microsoft Intune.

Azure AD helps users access both external and internal resources..

Single sign-on

• Single sign-on enables a user to sign in one time and use that credential to access multiple
resources and applications from different providers.

• If a user leaves an organization, tracking down all those identities and ensuring they are
disabled can be challenging. If an identity is overlooked, this might allow access when it
should have been eliminated.

Connecting Active Directory with Azure AD

Connecting Active Directory with Azure AD enables you to provide a consistent identity experience
to your users.

There are a few ways to connect your existing Active Directory installation with Azure AD:

• Azure AD Connect: synchronizes user identities between on-premises Active


Directory and Azure AD (synchronizes changes between both identity systems->SSO,
multifactor authentication, and self-service password reset ).
Integrates its existing Active Directory

instance with Azure AD, it creates

a consistent access model across its organization.

Multifactor authentication

Multifactor authentication is a process where a user is prompted during the sign-in process for an
additional form of identification. Examples include a code on their mobile phone or a fingerprint
scan.

• Multifactor authentication provides additional security for your identities by requiring two
or more elements to fully authenticate:

• Something the user knows

• Something the user has

• Something the user is

Azure AD Multi-Factor Authentication

• Azure AD Multi-Factor Authentication is a Microsoft service that provides multifactor


authentication capabilities. Azure AD Multi-Factor Authentication enables users to choose
an additional form of authentication during sign-in, such as a phone call or mobile app
notification.

• These services provide Azure AD Multi-Factor Authentication capabilities:

• Azure Active Directory: The Azure Active Directory free edition enables Azure AD
Multi-Factor Authentication for administrators with the global admin level of access,
via the Microsoft Authenticator app, phone call, or SMS code.

• Multifactor authentication for Office 365: A subset of Azure AD Multi-Factor


Authentication capabilities is part of your Office 365 subscription.

Conditional Access

• Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to
resources based on identity signals. These signals include who the user is, where the user is,
and what device the user is requesting access from.

• Conditional Access helps IT administrators:

• Empower users to be productive wherever and whenever.

• Protect the organization's assets.

• During sign-in, Conditional Access collects signals from the user, makes decisions based on
those signals, and then enforces that decision by allowing or denying the access request or
challenging for a multifactor authentication response.
Conditional Access is useful when you need to:

• Require multifactor authentication to access an application.

• Require access to services only through approved client applications.

• Require users to access your application only from managed devices. A managed device is a
device that meets your standards for security and compliance

• Block access from untrusted sources, such as access from unknown or unexpected locations.

Conditional Access comes with a What If tool, which helps you plan and troubleshoot your
Conditional Access policies. You can use this tool to model your proposed Conditional Access policies
across recent sign-in attempts from your users to see what the impact would have been if those
policies had been enabled.

To use Conditional Access, you need an Azure AD Premium P1 or P2 license. If you have a Microsoft
365 Business Premium license, you also have access to Conditional Access features

Cloud Adoption Framework

The Cloud Adoption Framework for Azure provides you with proven guidance to help with your
cloud adoption journey. The Cloud Adoption Framework helps you create and implement the
business and technology strategies needed to succeed in the cloud. The Cloud Adoption Framework
consists of tools, documentation, and proven practices.

The Cloud Adoption Framework includes these stages:

1. Define your strategy.

2. Make a plan.

3. Ready your organization.

4. Adopt the cloud.

5. Govern and manage your cloud environments.

Define your strategy

Why you're moving to the cloud and what you want to get out of cloud migration.

Here are the steps in this stage:

1. Define and document your motivations:

2. Document business outcomes

3. Develop a business case

4. Choose the right first project


Make a plan

You build a plan that maps your aspirational goals to specific actions.

Here are the steps in this stage:

1. Digital estate

2. Initial organizational alignment

3. Skills readiness plan

4. Cloud adoption plan

Ready your organization

you create a landing zone, or an environment in the cloud to begin hosting your workloads.

Here are the steps in this stage:

1. Azure setup guide

2. Azure landing zone

3. Expand the landing zone

4. Best practices

Adopt the cloud

You begin to migrate your applications to the cloud.

Migrate: Here are the steps in the migrate part of this stage:

1. Migrate your first workload

2. Migration scenarios

3. Best practices

4. Process improvements

Innovate: Here are the steps in the innovate part of this stage:

1. Business value consensus

2. Azure innovation guide

3. Best practices

4. Feedback loops
Govern and manage your cloud environments

You begin to form your cloud governance and cloud management strategies.

Govern: Here are the steps in the govern part of this stage:

1. Methodology

2. Benchmark

3. Initial governance foundation

4. Improve the initial governance foundation

Manage: Here are the steps in the manage part of this stage:

1. Establish a management baseline

2. Define business commitments

3. Expand the management baseline

4. Advanced operations and design principles

Create a subscription governance strategy

Cloud center of excellence team: This team is empowered to implement governance practices from a
centralized location for the entire organization.

• Billing: You can create one billing report per subscription (Resource tags can also help).

• Access control: Every subscription is associated with an Azure Active Directory tenant. Each
tenant provides administrators the ability to set granular access through defined roles by
using Azure role-based access control.

• Subscription limits: Subscriptions also have some resource limitations. Management groups
are also available to assist with managing subscriptions. A management group manages
access, policies, and compliance across multiple Azure subscriptions.

Azure role-based access control

Role-based access control is applied to a scope, which is a resource or set of resources that this
access applies to.

Scopes include:

• A management group (a collection of multiple subscriptions).

• A single subscription.

• A resource group.

• A single resource.
Azure RBAC

Use Azure RBAC when you need to:

• Allow one user to manage VMs in a subscription and another user to manage virtual
networks.

• Allow a database administrator group to manage SQL databases in a subscription.

• Allow a user to manage all resources in a resource group, such as virtual machines, websites,
and subnets.

• Allow an application to access all resources in a resource group.

• Azure RBAC is enforced on any action that's initiated against an Azure resource that passes
through Azure Resource Manager. Resource Manager is a management service that provides
a way to organize and secure your cloud resources.

• Azure RBAC doesn't enforce access permissions at the application or data level.

• RBAC uses an allow model. When you're assigned a role, RBAC allows you to perform certain
actions, such as read, write, or delete.

• You can apply Azure RBAC to an individual person or to a group or other special identity
types, such as service principals and managed identities.

Teams with an interest in some part of their overall IT environment:

• IT Administrators

• Backup and Disaster Recovery

• Cost and Billing

• Security Operations

• You manage access permissions on the Access control (IAM) pane in the Azure portal (who
has access to what scope and what roles apply).

Resource locks

A resource lock prevents resources from being accidentally deleted or changed. Think of a resource
lock as a warning system that reminds you that a resource should not be deleted or changed.

Levels of locking

You can apply locks to a subscription, a resource group, or an individual resource.

Levels of locking:

• CanNotDelete: means authorized people can still read and modify a resource, but they can't
delete the resource without first removing the lock.
• ReadOnly: means authorized people can read a resource, but they can't delete or change
the resource. Applying this lock is like restricting all authorized users to the permissions
granted by the Reader role in Azure RBAC.

Using two-step process information can be deleted, Resource locks apply regardless of RBAC
permissions. Even if you're an owner of the resource, you must still remove the lock before you can
perform the blocked activity.

Azure Blueprints

To make the protection process more robust, you can combine resource locks with Azure Blueprints.
Azure Blueprints enables you to define the set of standard Azure resources that your organization
requires. Azure Blueprints can automatically replace the resource lock if that lock is removed.

Organization

One way to organize related resources is to place them in their own subscriptions. ou can also use
resource groups to manage related resources. Resource tags are another way to organize resources.
Tags provide extra information, or metadata, about your resources.

This metadata is useful fo:

• Resource management: to locate and act on resources that are associated with specific
workloads, environments, business units, and owners.

• Cost management and optimization:to group resources->you can report on costs.

• Operations management: to group resources according to how critical their availability is to


your business.

• Security: classify data by its security level.

• Governance and regulatory compliance: enable you to identify resources that align with
governance or regulatory compliance requirements.

• Workload optimization and automation: it can help you visualize all of the resources that
participate in complex deployments.

Resource tags

You can add, modify, or delete resource tags through PowerShell, the Azure CLI, Azure Resource
Manager templates, the REST API, or the Azure portal.

Azure Policy: to ensure that a resource inherits the same tags as its parent resource group and to
enforce tagging rules and conventions.

Azure Policy

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control
or audit your resources. These policies enforce different rules and effects over your resource
configurations so that those configurations stay compliant with corporate standards.
• Azure Policy evaluates your resources and highlights resources that aren't compliant with
the policies you've created.

• Azure Policy can also prevent noncompliant resources from being created.

• In some cases, Azure Policy can automatically remediate noncompliant resources and
configurations to ensure the integrity of the state of the resources (can be integrated with
Azure DevOps).

Implementing a policy in Azure Policy involves these three steps:

1. Create a policy definition.

2. Assign the definition to resources.

3. Review the evaluation results.

Create a policy definition

A policy definition expresses what to evaluate and what action to take. Every policy definition has
conditions under which it's enforced. A policy definition also has an accompanying effect that takes
place when the conditions are met. Here are some example policy definitions:

• Allowed virtual machine SKUs: This policy enables you to specify a set of VM SKUs
that your organization can deploy.

• Allowed locations: to restrict the locations that your organization can specify when
it deploys resources.

• MFA should be enabled on accounts with write permissions on your subscription:


requires that multifactor authentication (MFA) be enabled for all subscription
accounts with write privileges to prevent a breach of accounts or resources.

• CORS should not allow every resource to access your web applications: Cross-origin
resource sharing (CORS) is an HTTP feature that enables a web application running
under one domain to access resources in another domain.

• System updates should be installed on your machines: enables Azure Security


Center to recommend missing security system updates on your servers.

Assign the definition to resources

To implement your policy definitions, you assign definitions to resources. A policy assignment is a
policy definition that takes place within a specific scope. This scope could be a management group (a
collection of multiple subscriptions), a single subscription, or a resource group.

Policy assignments are inherited by all child resources within that scope.

Review the evaluation results


When a condition is evaluated against your existing resources, each resource is marked as compliant
or noncompliant.

Policy evaluation happens about once per hour. If you make changes to your policy definition and
create a policy assignment, that policy is evaluated over your resources within the hour.

Azure Policy initiatives

An Azure Policy initiative is a way of grouping related policies into one set. The initiative definition
contains all of the policy definitions to help track your compliance state for a larger goal.

Enable Monitoring in Azure Security Center (contains over 100 separate policy definitions): to
monitor all of the available security recommendations for all Azure resource types in Azure Security
Center.

Under this initiative, the following policy definitions are included:

• Monitor unencrypted SQL Database in Security Center

• Monitor OS vulnerabilities in Security Center

• Monitor missing Endpoint Protection in Security Center

Azure Blueprint

Cloud center of excellence team can use Azure Blueprints to scale their governance practices
throughout the organization.

Implementing a blueprint in Azure Blueprints involves these three steps:

1. Create an Azure blueprint.

2. Assign the blueprint.

3. Track the blueprint assignments.

With Azure Blueprints, the relationship between the blueprint definition (what should be deployed)
and the blueprint assignment (what was deployed) is preserved. In other words, Azure creates a
record that associates a resource with the blueprint that defines it. This connection helps you track
and audit your deployments.

Blueprint artifacts

• Each component in the blueprint definition is known as an artifact.

• It is possible for artifacts to have no additional parameters (configurations). An example is


the Deploy threat detection on SQL servers policy, which requires no additional
configuration.

• Artifacts can also contain one or more parameters that you can configure.
ISO 27001

ISO 27001 is a standard that applies to the security of IT systems, published by the International
Organization for Standardization.

Example: ISO 27001: Shared Services Blueprint

1. Define a management group that's named PROD-MG.

2. Recall that a management group manages access, policies, and compliance across
multiple Azure subscriptions. Every new Azure subscription is added to this
management group when the subscription is created.

3. Create a blueprint definition that's based on the ISO 27001: Shared Services
Blueprint template. Then publish the blueprint.

4. Assign the blueprint to your PROD-MG management group.

Criminal Justice Information Service

Any US state or local agency that wants to access the FBI's Criminal Justice Information Services
(CJIS) database is required to adhere to the CJIS Security Policy.

Azure is the only major cloud provider that contractually commits to conformance with the CJIS
Security Policy. Microsoft adheres to the same requirements that law enforcement and public safety
entities must meet.

Cloud Security Alliance STAR Certification

Azure, Intune, and Microsoft Power BI have obtained Cloud Security Alliance (CSA) STAR
Certification, which involves a rigorous independent third-party assessment of a cloud provider's
security posture.

STAR Certification is based on achieving International Organization of Standards/International


Electrotechnical Commission (ISO/IEC) 27001 certification and meeting criteria specified in the Cloud
Controls Matrix (CCM). This certification demonstrates that a cloud service provider:

• Conforms to the applicable requirements of ISO/IEC 27001.

• Has addressed issues critical to cloud security as outlined in the CCM.

• Has been assessed against the STAR Capability Maturity Model for the management of
activities in CCM control areas.

European Union Model Clauses

Microsoft offers customers European Union (EU) Standard Contractual Clauses that provide
contractual guarantees around transfers of personal data outside of the EU.

Microsoft is the first company to receive joint approval from the EU's Article 29 Working Party that
the contractual privacy protections Azure delivers to its enterprise cloud customers meet current EU
standards for international transfers of data. Meeting this standard ensures that Azure customers
can use Microsoft services to move data freely through Microsoft's cloud, from Europe to the rest of
the world.

Microsoft Privacy Statement

The Microsoft Privacy Statement explains what personal data Microsoft collects, how Microsoft uses
it, and for what purposes.

• The privacy statement covers all of Microsoft's services, websites, apps, software, servers,
and devices.

Online Services Terms

The Online Services Terms (OST) is a legal agreement between Microsoft and the customer. The OST
details the obligations by both parties with respect to the processing and security of customer data
and personal data.

Data Protection Addendum

The Data Protection Addendum (DPA) further defines the data processing and security terms for
online services. These terms include:

• Compliance with laws.

• Disclosure of processed data.

• Data Security, which includes security practices and policies, data encryption, data access,
customer responsibilities, and compliance with auditing.

• Data transfer, retention, and deletion.

Trust Center

The Trust Center showcases Microsoft's principles for maintaining data integrity in the cloud and
how Microsoft implements and supports security, privacy, compliance, and transparency in all
Microsoft cloud products and services.

The Trust Center provides:

• In-depth information about security, privacy, compliance offerings, policies, features, and
practices across Microsoft cloud products.

• Additional resources for each topic.

• Links to the security, privacy, and compliance blogs and upcoming events.
Azure compliance documentation

• The Azure compliance documentation provides you with detailed documentation about legal
and regulatory standards and compliance on Azure.

Here you find compliance offerings across these categories:

• Global

• US government

• Financial services

• Health

• Media and manufacturing

• Regional

• From the Azure compliance documentation, you can access additional compliance resources.
For example, from the Audit reports section, you find a link to audit reports for PCI DSS.

• From there, you can access several different files, including the Attestation of Compliance
reports and the PCI DSS Shared Responsibility Matrix.

• Under Compliance blueprints, you find reference blueprints, or policy definitions, for
common standards that you can apply to your Azure subscription.

• The PCI DSS blueprint deploys a core set of policies that map to PCI DSS

compliance and help you govern your Azure workloads against this standard.

Azure Government

Azure Government is a separate instance of the Microsoft Azure service. It addresses the security
and compliance needs of US federal agencies, state and local governments, and their solution
providers. Azure Government offers physical isolation from non-US government deployments and
provides screened US personnel.

Azure Government services handle data that is subject to certain government regulations and
requirements:

• Federal Risk and Authorization Management Program (FedRAMP)

• National Institute of Standards and Technology (NIST) 800.171 Defense Industrial


Base (DIB)

• International Traffic in Arms Regulations (ITAR)

• Internal Revenue Service (IRS) 1075

• Department of Defense (DoD) L4


• Criminal Justice Information Service (CJIS)

Azure Government uses physically isolated datacenters and networks located only in the US. Azure
Government customers, such as the US federal, state, and local government or their partners, are
subject to validation of eligibility. Azure Government provides the broadest compliance and Level 5
DoD approval.

Azure China 21Vianet

• Azure China 21Vianet is operated by 21Vianet. It's a physically separated instance of cloud
services located in China. Azure China 21Vianet is independently operated and transacted by
Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly owned subsidiary of Beijing
21Vianet Broadband Data Center Co., Ltd.

• According to the China Telecommunication Regulation, providers of cloud services,


infrastructure as a service (IaaS) and platform as a service (PaaS), must have value-added
telecom permits.

• Only locally registered companies with less than 50 percent foreign investment qualify for
these permits.

• To comply with this regulation, the Azure service in China is operated by 21Vianet, based on
the technologies licensed from Microsoft.

• As the first foreign public cloud service provider offered in China in compliance with
government regulations, Azure China 21Vianet provides world-class security as discussed on
the Trust Center, as required by Chinese regulations for all systems and applications built on
its architecture.

TCO Calculator

The TCO Calculator helps you estimate the cost savings of operating your solution on Azure over
time, instead of in your on-premises datacenter.

• You enter the details of your on-premises workloads, these costs include electricity, network
maintenance, and IT labor.

Working with the TCO Calculator involves three steps:

• Define your workloads: you enter the specifications of your on-premises infrastructure
into the TCO Calculator, based on these four categories – Servers, Databases, Storage,
Networking

• Adjust assumptions: specify whether your current on-premises licenses are enrolled for
Software Assurance, specify whether you need to replicate your storage to another Azure
region for greater redundancy, cost assumptions across several different areas:

• Electricity price per kilowatt hour (KWh).

• Hourly pay rate for IT administration.


• Network maintenance cost as a percentage of network hardware and software
costs.

• View the report.

• View the report: Choose a time frame between one and five years. the TCO Calculator
generates a report that's based on the information you've entered.

Azure subscriptions

Azure offers both free and paid subscription options:

• Free trial

• Pay-as-you-go

• Member offers: Your existing membership to certain Microsoft products and services might
provide you with credits for your Azure account and reduced rates on Azure services, for
example: member offers are available to Visual Studio subscribers, Microsoft Partner
Network members.

Azure services

There are three main ways to purchase services on Azure:

• Through an Enterprise Agreement: This agreement commits them to spending a


predetermined amount on Azure services over a period of three years.

• Directly from the web: Here, you purchase Azure services directly from the Azure portal
website and pay standard prices. You're billed monthly, as a credit card payment or through
an invoice.

• Through a Cloud Solution Provider: A Cloud Solution Provider (CSP) is a Microsoft Partner
who helps you build solutions on top of Azure. Your CSP bills you for your Azure usage at a
price they determine. They also answer your support questions and escalate them to
Microsoft, as needed.

Factors

• Resource type: For example, with a storage account you specify a type (such as block blob
storage or table storage), a performance tier (standard or premium), and an access tier (hot,
cool, or archive).

• Usage meters: provision a resource->meters to track usage of that resource. Azure uses
these meters to generate a usage record that's later used to help calculate your bill. Each
meter tracks a specific type of usage. E g. meters for a single VM:

• Overall CPU time.

• Time spent with a public IP address.


• Incoming (ingress) and outgoing (egress) network traffic in and out of the VM.

• Disk size and amount of disk read and disk write operations.

• Resource usage: In Azure, you can delete or deallocate a VM. Deleting a VM means that you
no longer need it. Deallocating a VM means that the VM is no longer running. But the
associated hard disks and data are still kept in Azure. The VM isn't assigned to a CPU or
network in Azure's datacenter, o it doesn't generate the costs associated with compute time
or the VM's IP address. Because the disks and data are still stored, and the resource is
present in your Azure subscription, you're still billed for disk storage.

• Azure subscription types: Some Azure subscription types also include usage allowances,
which affect costs (eg. Free products).

Azure Marketplace: You can also purchase Azure-based solutions and services from third-party
vendors through Azure Marketplace.

Does location or network traffic affect cost? - When you provision a resource in Azure, you need to
define the location (known as the Azure region) of where it will be deployed.

• Location: Azure infrastructure is distributed globally, which enables you to deploy


your services centrally or provision your services closest to where your customers
use them. Different regions can have different associated prices. Because
geographic regions can impact where your network traffic flows, network traffic is a
cost influence to consider as well.

• Zones for billing of network traffic:

• Zones for billing of network traffic: Bandwidth refers to data moving in and out of Azure
datacenters. Some inbound data transfers (data going into Azure datacenters) are free. For
outbound data transfers (data leaving Azure datacenters), data transfer pricing is based on
zones.

• A zone is a geographical grouping of Azure regions for billing purposes. The following zones
include some of the regions as shown here:

• Zone 1: Australia Central, West US, East US, Canada West, West Europe, France
Central, and others.

• Zone 2: Australia East, Japan West, Central India, Korea South, and others

• Zone 3: Brazil South, South Africa North, South Africa West, UAE Central, UAE North

• DE Zone 1: Germany Central, Germany Northeast

• How can I estimate the total cost? - Azure Pricing calculator: The Pricing calculator displays
Azure products in categories. You add these categories to your estimate and configure
according to your specific requirements. You then receive a consolidated estimated price,
with a detailed breakdown of the costs associated with each resource you added to your
solution.
The options that you can configure in the Pricing calculator vary between products, but they can
include:

• Region: A region is the geographical location in which you can provision a service.

• Tier: have different levels of availability or performance and different associated costs.

• Billing options: highlight the different ways you can pay for a service.

• Support options: These options enable you to select additional support pricing options for
certain services.

• Programs and offers

• Azure Dev/Test pricing: This option lists the available prices for development and test
workloads.

Total cost

• To help you plan your solution on Azure, carefully consider the products, services, and
resources you need.

• Calculate your projected costs by using the Pricing calculator and the Total Cost of
Ownership (TCO) Calculator.

• Azure Advisor: identifies unused or underutilized resources and recommends unused


resources that you can remove. This information helps you configure your resources to
match your actual workload.

Spending limits

• If you have a free trial or a credit-based Azure subscription, you can use spending limits to
prevent accidental overrun.

• Azure resources that you deployed are removed from production and your Azure virtual
machines (VMs) are stopped and deallocated (when you spend all the credit included with
your Azure free account).

• If you have a credit-based subscription and you reach your configured spending limit, Azure
suspends your subscription until a new billing period begins.

• A related concept is quotas, or limits on the number of similar resources you can provision
within your subscription. For example, you can allocate up to 25,000 VMs per region.

Az Azure Cost Management + Billing

Azure Cost Management + Billing is a free service that helps you understand your Azure bill, manage
your account and subscriptions, monitor and control Azure spending, and optimize resource use.
Functions of Azure Cost Management + Billing

• Reporting

• Data enrichment

• Budgets

• Alerting

• Recommendations

Deallocate virtual machines during off hours

• To deallocate a VM means to no longer run the VM, but preserve the associated hard disks
and data in Azure.

• If you have VM workloads that are only used during certain periods, but you're running them
every hour of every day, you're wasting money. These VMs are great candidates to shut
down when not in use and start back when you need them, saving you compute costs while
the VM is deallocated.

Migrate from IaaS to PaaS services

• As you move your workloads to the cloud, a natural evolution is to start with infrastructure
as a service (IaaS) services.

• Over time, one way to reduce costs is to gradually move IaaS workloads to run on platform
as a service (PaaS) services.

• A PaaS services, such as Azure SQL Database often less expensive to run, but because they're
managed for you, you don't need to worry about software updates, security patches, or
optimizing physical storage for read and write operations.

Save on licensing costs, some examples:

• Choose cost-effective operating systems: Many Azure services provide a choice of running
on Windows or Linux. It's useful to compare pricing to see whether you can save money.

• Use Azure Hybrid Benefit to repurpose software licenses on Azure: If you've purchased
licenses for Windows Server or SQL Server, and your licenses are covered by Software
Assurance, you might be able to repurpose those licenses on VMs on Azure. Some of the
details vary between Windows Server or SQL Server.

Service-level agreements (SLAs)

• A service-level agreement (SLA) is a formal agreement between a service company and the
customer. For Azure, this agreement defines the performance standards that Microsoft
commits to for you, the customer.
• Why are SLAs important? - Understanding the SLA for each Azure service you use helps you
understand what guarantees you can expect.

• You can access SLAs from Service Level Agreements.

• Each Azure service defines its own SLA.

SLA

A typical SLA breaks down into these sections:

• Introduction: This section explains what to expect in the SLA, including its scope and how
subscription renewals can affect the terms.

• General terms: This section contains terms that are used throughout the SLA so that both
parties (you and Microsoft) have a consistent vocabulary. It defines the general terms of the
agreement, including how to submit a claim.

• SLA details: This section defines the specific guarantees for the service. Performance
commitments are commonly measured as a percentage.

The primary performance commitment typically focuses on uptime, or the percentage of time that a
product or service is successfully operational. Some SLAs focus on other factors as well, including
latency, or how fast the service must respond to a request.

• Free products typically don't have an SLA.

• Azure status provides a global view of the health of Azure services and regions. If you
suspect there's an outage, this is often a good place to start your investigation.

• Azure status provides an RSS feed of changes to the health of Azure services that you can
subscribe to. You can connect this feed to communication software such as Microsoft Teams
or Slack.

• From the Azure status page, you can also access Azure Service Health: provides a
personalized view of the health of the Azure services.

• Typically, you need to file a claim with Microsoft to receive a service credit. Each SLA
specifies the timeline by which you must submit your claim and when Microsoft processes
your claim.

Service credits

• A service credit is the percentage of the fees you paid that are credited back to you
according to the claim approval process.

• An SLA describes how Microsoft responds when an Azure service fails to perform to its
specification. For example, you might receive a discount on your Azure bill as compensation
when a service fails to perform according to its SLA.
• Credits typically increase as uptime decreases. Here's how credits are applied for Azure
Database for MySQL according to uptime.

Application SLA

• An application SLA defines the SLA requirements for a specific application.

• Tailwind Traders runs an application that it built on Azure called "Special Orders." The
application tracks special orders that customers have placed in the company's retail stores.
There are many design decisions you can make to improve the availability and resiliency of
the applications and services you build on Azure.

• Business impact

• Effect on other business operations

• Usage patterns: define when and how users access your application.

Build availability requirements into your design

• There are application design considerations you can use that relate to the underlying cloud
infrastructure.

• To improve the availability of the application, avoid having any single points of failure.

• You can deploy one or more extra instances of the same virtual machine across the different
availability zones in the same Azure region. Deploying two or more instances of an Azure
virtual machine across two or more availability zones raises the virtual machine SLA to 99.99
percent. Recalculating your composite SLA above with this Virtual Machines SLA gives you an
application SLA of: 99.99%×99.99%×99.99%×99.99% =99.96%.

Include redundancy to increase availability

• To ensure high availability, you might plan for your application to have duplicate
components across several regions, known as redundancy.

• Conversely, to minimize costs during non-critical periods, you might run your application
only in a single region.

• To achieve maximum availability in your application, add redundancy to every single part of
the application. This redundancy includes the application itself, as well as the underlying
services and infrastructure.

• An SLA of 99.99 percent means 1 minute of downtime per week, it's difficult for humans to
respond to failures quickly enough to meet SLA performance targets above 99.99 percent.
Service lifecycle

• The service lifecycle defines how every Azure service is released for public use.

• Every Azure service starts in the development phase. In this phase, the Azure team collects
and defines its requirements, and begins to build the service.

• Next, the service is released to the public preview phase.

• During this phase, the public can access and experiment with it so that it can provide
feedback.

• After a new Azure service is validated and tested, it's released to all customers as a
production-ready service. This is known as general availability (GA).
A company investigates moving on-premises… (fault tolerance, high availability)

You work for a small company that hosts its own web servers… (horizontal scaling / automatically
add / eliminate the cost of having an IT staff)
With SERVERLESS COMPUTING, developers deploy code and pay for its run time only, without
worrying about the provisioning, configuration and management of the underlying infrastructure.

How can Azure lower capital expenditure (CapEx) costs?

Which cloud computing term applies to each example? (Elasticity, Fault tolerance,…)
In the Infrastructure-as-a-Service (IaaS) cloud service model, the subscriber is responsible for
management of which two components? OPERATING SYSTEM, APPLICATIONS

Match each statement about cloud services with the term it best describes (fault tolerance,
scalability…)

Match each benefit of cloud computing with its description (elasticity, scalability)
DISASTER RECOVERY is the ability to restore cloud service in the wake of a catastrophic loss

Migrating cloud services enables an organization to budget infrastructure costs AS AN OPERATIONAL


EXPENSE

For each of the following statements about capital expenditures (CapEx) and operational
expenditures (OpEx), select Yes if the statement is true. (costs are fixed / good idea when the
demand fluctuates or is unknown / pay-as-you-go)

Your company migrates virtual machines VMs from an on-premises datacenter to Azure. (pay-per-
use / absence of upfront costs)
Which Azure resource can be deployed as Infrastructure-as-a-Service (IaaS)? VIRTUAL MACHINE

Which Azure resource can be managed as SaaS? AZURE INTERNET-OF-THINGS IOT CENTRAL

Identify which statements accurately describe Software-as-a-Service (SaaS)… (provider is responsible


/ windows server 2016 / sophisticated applications)

You are asked about the differences between IaaS, PaaS and SaaS (rent hardware / underlying OS /
subscribe)
You are planning to Use Azure for your company’s cloud infrastructure. (Outlook, Azure SQL, VM)

Your company is considering using a PaaS environment (provider, customer)


For each of the following statements about shared responsibility in the cloud, select Yes if true
(retains responsibility / responsibility for accounts is transferred / responsibility for the operating
system)

You need to deploy a serverless solution that meets the following requirements (triggered, code
runs, PostgreSQL)
Which two infrastructures are valid hybrid cloud infrastructures? PRIVATE AND PUBLIC CLOUD / ON-
PREMISES INFRASTRUCTURE AND PUBLIC CLOUD

What is a unique advantage of a public cloud over a private cloud? COSTS ARE LOWER AND SPREAD
AMOUNT MULTIPLE TENANTS

You work for a cloud solution provider. One of your company’s clients considers moving its on-
premises (public cloud, hybrid cloud, private cloud)

Which setup represents a hybrid cloud model? AN AZURE WEBJOB THAT MAKES CALLS TO THE
AZURE REPRESENTATIONAL STATE TRANSFER (REST) APPLICATION PROGRAM INTERFACE (API)

What is the advantage of moving your company’s infrastructure to Azure by using a public cloud
deployment model? THE COMPANY IS ABLE TO SCALE UP AS NEEDED WITH NO CAPITAL
EXPENDITURE REQUIRED

Your organization hosts its e-commerce solution on a computing infrastructure that is provided by a
third-party service provider and shared with other organizations. You only pay for the compute
power, storage, and networking resources you use. What type of cloud computing is this an example
of? PUBLIC CLOUD

CLOUD COMPUTING is the delivery of computing services such as compute power, storage,
networking, software and analytics.

A private cloud requires THE INFRASTRUCTURE TO BE ON A PRIVATE NETWORK.


A company wants to expand its cloud presence by deploying additional resources to Azure. The
company plans to use templates based on existing resources to automate the deployment process.
Ensuring consistent deployment is critical, what to use? AZURE RESOURCE MANAGER

Match each statement with the correct cloud model (public, private, hybrid)

Your company wants to know which deployment model would work best for them. Public, private…
Match each type of cloud computing with its description

A company is deploying a critical business application / highly available access / separate fault and
update zones..
You need to identify features of resource groups.

You consider moving some of your applications to azure (container)

Which setup would qualify as an availability zone? TWO SERVERS LOCATED IN THE SAME REGION
What is the purpose of a resource group? IT SERVES AS A CONTAINER FOR AZURE RESOURCES LIKE
VIRTUAL MACHINES AND WEB APPS.

Company A wants the development and QA departments to manage App Services…

You deploy two Azure virtual machines running windows server 2016…
You work for a small college, the college has more than 250 active students (pay-as-you-go /
enterprise..)

You need to determine the number of subscriptions that you have to create based on the
requirements for each scenario.
Your company is planning to move its infrastructure to the azure cloud. You need to explain the
subscription model

What is the maximum length of time you can use the credits from an Azure free subscription before
it expires? 30 DAYS

For each of the following statements about azure subscriptions… (active directory, azure resource
groups, subscription)
Your company is reorganizing after acquiring a new company, Azure Active Directory…

You deploy a business critical solution in azure. You need to ensure that your resources are
replicated and hosted at least 200 miles away within the same geographic area… REGION PAIRS

Management groups let you organize multiple SUBSCRIPTIONS AS A SINGLE MANAGEMENT ENTITY
TO FACILITATE EASIER MANAGEMENT

A company wants to host data disks on the Azure cloud.


Which Azure database product supports key-value and document data models and provides native
support for NoSQL? AZURE COSMOS DB

Your company is considering using Linux-based Azure container Instances (ACIs) to deploy a simple
application. The application runs as a stateful application. What type of storage should you use?
AZURE FILES

Your company is planning a deployment… Up to 10 TB storage, point-in-time-restore for up to 35


days: AZURE DATABASE FOR POSTGRESQL SINGLE SERVER GENERAL PURPOSE TIER

For each of the following statements about Windows Virtual Desktop…


Match each Azure resource to a scenario

Which two options can you use to connect Azure Virtual Networks VNets to each other? VNET
PEERING + VPN GATEWAYS

For each of the following statements about Azure networking (expressroute / traffic between peered
/ VNet is created within the scope of a region)
You build a new operational analytics solution in Azure using PostgreSQL as a relational database.
The estimated monthly growth of your database is 20 Gb.

Match each Azure resource with its use scenario


Microsoft Marketplace PROVIDES PURCHASE AND SUBSCRIPTION LINKS TO CERTIFIED CLOUD
APPLICATIONS AND SOLUTIONS FROM MICROSOFT AND ITS TECHNOLOGY PARTNERS

You are planning to move some of your company’s application functionalities to azure cloud. You
need to determine whether to use Azure Functions or Logic Apps

In which situation would an Azure Function app be the best solution? YOU WANT TO EXECUTE
JAVASCRIPT CODE THAT SENDS A MAINTENANCE EMAIL EVERY SUNDAY EVENING

Your company is planning to build a solution for an automobile manufacturing company. Allow
vehicles to send on-board diagnostic OBD sensory and vehicle telemetry data to the cloud for
analysis. IOT CENTRAL

You need to use an Azure Big Data solution that allows you to query and transform data to extract
insights. DATA LAKE ANALYTICS
Match each description with the appropriate Azure product (machine learning studio / functions /
HDInsight)

Which Azure service provides for serverless workflow orchestration to let you integrate apps, data,
systems, and services across enterprises or organizations? LOGIC APPS

You need to analyze large volumes of streaming data being collected from the Internet of Things
(IoT) devices. HDINSIGHT

AZURE SYNAPSE ANALYTICS is a service that brings together enterprise data warehousing and Big
Data analytics.

As a site reliability engineer, you need to deploy a solution that would allow your developers to
automatically build, test, release and deploy their code. Which two platforms can you use to meet
your goal? AZURE EXPRESSROUTE, AZURE EVENT HUB

You want to build an app that can guess the age of people in provided photos, advanced computer
vision algorithms AZURE COGNITIVE SERVICES

IoT Hub is A SERVICE THAT PROVIDES FOR BI-DIRECTIONAL CONNECTIONS BETWEEN YOUR
INTERNET OF THINGS DEVICES AND AN IOT APPLICATION.
Which statement accurately describe features of Machine Learning Studio?

You need to determine which resource to deploy for different scenarios?


Your company’s development team is developing and testing net applications, 100 virutal machines,
windows server 2016 and Ubuntu Linux

Your company considers using Azure DevTest Labs to help with new development activities. You
need to identify the functionality provided through DevTest Labs.
Match each description with the appropriate Azure product.

Azure Databricks is a secure data ..


You have the green light to move some of your company’s infrastructure to azure. You need to
determine the features provided by Azure Advisor.

Which resource is required to use Azure Cloud Shell? STORAGE ACCOUNT

You create Azure subscription, you need to determine when you should use specific azure
management tools.
You need to use Azure Cloud Shell to manage Linux virtual machines that are already deployed..

Which Azure management tool provides a graphic interface for deploying, managing and monitoring
Azure resources? AZURE PORTAL

Which statements accurately describe Azure PowerShell?


Your company has a hybrid azure cloud infrastructure in Virginia. It consists of Azure virtual
machines, an App Service, a SQL Database instance and an on-premises web server.. Service Health
is beneficial.

Which feature of Azure Monitor allows you to visually analyze telemetry data? APPLICATION
INSIGHTS

Which Azure Monitor feature sends an email to an administrator when a virtual machine is about to
exceed its usage quota for the month? SERVICE HEALTH

You need to understand Azure monitoring options, which monitoring feature should you use for
each scenario?
Which Azure service can use autoscale to add or remove resources as appropriate to minimize costs
and ensure optimum performance levels? AZURE MONITOR

Which Azure component provides information about planned maintenance and advisories such a
deprecated offerings? AZURE SERVICE HEALTH

You are going to start collecting data about your Azure infrastructure with Azure Monitor. Which
type of data collection requires you to enable diagnostics? EVENT LOGS

You recently signed up for a free Azure Subscription. Which UI elements best match the
descriptions?
Compare using Azure PowerShell and Azure CLI for Azure management.

Identify the features of Azure Cloud Shell.


For each of the following statements about the Azure mobile app, select Yes.

You deploy a new Linux virtual machine and then manually adjust its configuration in Azure to meet
the requirements… Reuse it as a template in the deployment of Test and Production VMs
Azure Monitor beings collecting data AS SOON AS YOU ADD A RESOURCE TO A NEW AZURE
SUBSCRIPTION?

You need a security solution that helps provision, manage and deploy Secure Sockets
Layer/Transport Layer Security certificates. What should you use? KEY VAULT

A company is reviewing security for virtual machines deployed on its hybrid cloud. You need to
identify security features provided through Azure Security Center.

Which Azure security solution provides general security recommendations and suggests
remediations to better secure your resources? SECURITY CENTER.

Match each Azure solution to a scenario.


For each of the following statements about Azure Dedicated Hosts, select Yes.

Which two organization-level insights can you derive from the Regulatory Compliance dashboard of
Azure Security Center? OVERALL COMPLIANCE SCORE / NUMBER OF PASSING AND FAILING
ASSESSMENTS

Azure Advisor Integrates with AZURE SECURITY CENTER to help to prevent, detect, and respond to
threats to Azure resources.

You deploy three Virtual Machines to Azure as a three-tiered architecture.


For each of the following statements about Azure Distributed Denial of Service DDoS Protection

You are planning to create a cloud solution in Azure. Which resources should you deploy?
Your Azure tenant includes an Azure Virtual Network with several internet-facing web servers
DEFENSE IN DEPTH is a strategy to implement multiple layers of security to slow down an attack and
provide early alert telemetry to act upon.

Application Security Groups ASGs let you NOT THIS ONE: ORGANIZE SIMILAR SERVERS SO YOU CAN
ACCESS

You need to understand the difference between authentication and authorization in Azure.

You plan t create an Azure subscription and take advantage of its Azure Active Directory features.
You need to choose the least expensive license for each scenario.
Which two examples best describe multi-factor authentication MFA?

- YOU RECEIVE A TEXT MESSAGE WITH A CODE AFTER YOU ENTER YOUR USERNAME AND
PASSWORD ON A MOVIE STREAMING SITE.
- YOU INSERT YOUR DEBIT CARD INTO AN ATM AND THEN ENTER YOUR PERSONAL
IDENTIFICATION NUMBER PIN TO ACCESS YOUR ACCOUNT

A company is migrating several Web apps from an on-premises private cloud deployment to Azure.
You need to determine if Azure AD will meet your authentication requirements.

A company subscribes to Azure as a platform for developing and deploying Web apps.
A company has an Azure Active Directory Premium P1 subscription. The company has a hybrid
environment that uses both Azure ASD and on-premises federated AD.

Which two options are examples of Conditional Access policies? BLOCK ACCESS BY LOCATION /
REQUIRE COMPILANT DEVICES

With SINGLE SIGN-ON SSO, users can access all needed applications without being required to
authenticate a second time.

An Azure Multi-Factor Authentication server is required FOR AUTHENTICATION WHEN SUPPORTING


USERS LOCATED ON ON-PREMISES ACTIVE DIRECTORY ONLY.

Which of the following allows you to assign permissions to users so that they can create resources in
Azure? ROLE-BASED ACCESS CONTROL

Which statement best describes what a resource lock does to a virtual machine? IT PREVENTS THE
VM FROM BEING DELETED ?

You need to give all users in a group the ability to create and manage all types of Azure resources in
a subscription. Rights granted to the users should be kept to a minimum. Which built-in role-based
access control RBAC role should you assign to the group? CONTRIBUTOR

Your company has a new policy to be able to limit access to resources at the resource group and
resource scopes in a detailed, granular way. Access will be granted to various groups and individual
users. ROLE-BASED ACCESS CONTROL
Your company wants to ensure that it meets its internal compliance goals and that azure resources
are compliant with company standards, ongoing evaluation for compliance and identification of non-
compliant resources AZURE POLICY

An azure initiative IS A COLLECTION OF AZURE POLICIES TARGETED TOWARDS REACHING A SINGLE


OVERALL GOAL

You are researching the governance methodologies in Azure. Role-based access security, policies,
initiatives..
Which statement describes a benefit that is unique to Azure Government? RESOURCES IN AZURE
GOVERNMENT ARE DEPLOYED TO DATACENTERS THAT ARE SEPARATE FROM NON-GOVERNMENT
RESOURCES.

Which statements describes regulatory compliance responsibilities? COMPLIANCE IS A SHARED


RESPONSIBILITY OF MICROSOFT AND THE SUBSCRIBER

For each of the following statements about Azure Locks


For each scenario, select the most appropriate Azure governance methodology.

Azure Blueprints
Azure Blueprints to support rapid deployment

Azure Policy Initiatives


Your company uses management groups to manage resources in your azure tenant more efficiently.
User1

For each of the following statements about Azure tags.


Match each Azure Cloud Adoption Framework methodology with its description

Microsoft Privacy Statement


Microsoft Azure operated by 21Vianet (Azure China)

Which regulation addresses data protection and privacy for all individuals in the EU? GENERAL DATA
PROTECTION REGULATION GDPR

Which United States regulation addresses protecting unclassified information created by the
government and stored in non-governmental systems? NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY

Which statement describes a feature for prospective customers that is unique to Azure China? ITS
DATACENTERS ARE COMPLETELY DISCONNECTED FROM OTHER AZURE DATACENTERS.

Compliance in Azure (government, service trust portal, non-regulatory agency)


The terms for how you can use subscribed, public and generally available Microsoft online service
are defined in the ONLINE SERVICES TERMS document.
Match each Microsoft licensing term with a description.

Microsoft Trust Center IS THE AZURE INFORMATION SITE THAT CONTAINS BROAD-RANGING
SECURITY INFORMATION.

You are given approval to move your company’s web application… Azure Pricing Calculator.
Your company plans to deploy to the azure cloud three virtual machines and a load balancer.

Your company is considering moving its on-premises infrastructure to azure. Most appropriate cost
savings estimation tool.
You are planning to use Azure for a cloud solution. Most appropriate tool for different scenarios.

You need to explain Azure pricing calculator. IT ALLOWS YOU TO ESTIMATE THE MONTHLY COSTS
ASSOCIATED WITH USING SPECIFIC AZURE RESOURCES.

You work for a private equity firm in Richmond, Virginia.


A company is looking for solutions to help to lower cloud-related costs. You need to identify tools
and mechanisms that help save money.

You move some Windows Server virtual machines from your on-premises data-center to Azure.
Azure spot pricing

A zone is geographical grouping of Azure regions used to determine billing based on DATA
TRANSFERS.

You deploy a web app and a Cosmos DB instance to Azure. 99.99 percent
You consider moving your company’s infrastructure to the azure cloud, understand the difference
between public and private preview features.

99.95% service level agreement SLA, 99.99% SLA.


You are planning to deploy resources to Azure. What is the estimated expected annual downtime for
each SLA?

A company has a single instance Azure virtual machine deployed in the north central us region. You
need to improve the service level agreement to guarantee 99.99% availability. INSTALL AN
ADDITIONAL INSTANCE IN A DIFFERENT AVAILABILITY ZONE IN THE SAME REGION.

Based on the Microsoft Azure Lifecycle Policy, how much advance warning does Microsoft give
before retiring a guest operating system? 12 MONTHS

Which statement best describes general availability? GA REFERS TO A FULLY TESTED AND
EVALUATED…

According to microsoft’s supplemental terms, what is the primary purpose for releasing an azure
feature in public preview? TO OBTAIN CUSTOMER FEEDBACK

Which statement accurately describes preview feature service support? PREVIEWS ARE SUBJECT TO
REDUCED OR DIFFERENT SERVICE TERMS THAN GENERALLY RELEASED FEATURES.

Your company is deploying an application that relies on multiple azure services. You need to
determine the composite service level agreement for the application. On what is the composite on
SLA based? THE PRODUCT OF THE SLAS OF EACH OF THE SERVICES USED IN THE APPLICATION.

Azure service level agreement describes commitments related to uptime and connectivity for azure
services NO CHANGE
Access to preview features CAN BE CONFIGURED AT THE ORGANIZATION OR USER LEVEL ?

Which service offers a distributed network of servers that can efficiently deliver web content to
users that focuses on minimizing latency? CONTENT DELIVERY NETWORK

Public Preview:
A company deploys an app in azure shown in the original design section

Your company has multiple web properties that the customer can reach you. You would like to
create a common set of code that each of them can use to create a lead in your customer database.
Which service Azure App Service app would you use? AZURE API APP

Which service below is NOT considered a feature of Azure serverless computing? AZURE MACHINE
LEARNING

Azure policy is used to control per-user permissions in Azure and control the types of resources that
users can deploy. FALSE

What would you use if you want to avoid a resource in Azure from being modified or deleted?
RESOURCE LOCK

Azure Subscription may only have one account owner TRUE

Your organization relies on azure services for hosting a critical application. You need 24x7 support
for your Azure services. Which of the following support plans is the most economical option that still
provides you with 24x7 support? STANDARD

At which stage of the azure service lifecycle should you consider an azure service in production?
GENERAL AVAILABILITY

Which of the following is not a method for protecting internet facing services from network attacks?
AZURE DISK ENCRYPTION

You might also like