Azure Fundamentals: Describe Azure

management and governance

Module 1

Describe cost management in Azure

That OpEx cost can be impacted by many factors. Some of the

impacting factors are:
 Resource type
 Consumption
 Maintenance
 Geography
 Subscription type
 Azure Marketplace

Resource type
Examples
With a storage account, you specify a type such as blob, a
performance tier, an access tier, redundancy settings, and a region.
Creating the same storage account in different regions may show
different costs and changing any of the settings may also impact the
price.
With a virtual machine (VM), you may have to consider licensing for
the operating system or other software, the processor and number
of cores for the VM, the attached storage, and the network interface.
 Network traffic is also impacted based on geography. For
example, it’s less expensive to move information within Europe
than to move information from Europe to Asia or South
America.
Explore the Pricing calculator

Add services to the estimate

1. On the Products tab, select the service from each of these
categories:
Category Service
Compute Virtual Machines
Databases Azure SQL Database
Networking Application Gateway

Under Application Gateway, set these values:

Setting Value
Region West US
Tier Web Application Firewall
 RemembeR, you don't need an azuRe subscRiption
to woRk with the tco calculatoR.

Exercise - Compare workload costs

using the TCO calculator
Let's say that:
 You run two sets, or banks, of 50 virtual machines (VMs) in
each bank.
 The first bank of VMs runs Windows Server under Hyper-V
virtualization.
 The second bank of VMs runs Linux under VMware
virtualization.
 There's also a storage area network (SAN) with 60 TB of disk
storage.
 You consume an estimated 15 TB of outbound network
bandwidth each month.
What is Cost Management?
Cost Management provides the ability to quickly check Azure
resource costs, create alerts based on resource spend, and create
budgets that can be used to automate management of resources.
Cost alerts
Cost alerts provide a single location to quickly check on all of the
different alert types that may show up in the Cost Management
service. The three types of alerts that may show up are:

Budget alerts
Credit alerts
Department spending quota alerts.

Budget alerts
Budget alerts notify you when spending, based on usage or cost,
reaches or exceeds the amount defined in the alert condition of the
budget.
Budget alerts support both cost-based and usage-based budgets.
Credit alerts
Credit alerts notify you when your Azure credit monetary
commitments are consumed. Monetary commitments are for
organizations with Enterprise Agreements (EAs).
Department spending quota alerts
Department spending quota alerts notify you when department
spending reaches a fixed threshold of the quota. Spending quotas are
configured in the EA portal.
Describe the purpose of tags
One way to organize related resources is to place them in their own
subscriptions. You can also use resource groups to manage related
resources. Resource tags are another way to organize resources.
Tags provide extra information, or metadata, about your resources.
This metadata is useful for:
 Resource management Tags enable you to locate and act on
resources that are associated with specific workloads,
environments, business units, and owners.
 Cost management and optimization Tags enable you to group
resources so that you can report on costs, allocate internal cost
centers, track budgets, and forecast estimated cost.
 Operations management Tags enable you to group resources
according to how critical their availability is to your business.
This grouping helps you formulate service-level agreements
(SLAs). An SLA is an uptime or performance guarantee between
you and your users.
  Security Tags enable you to classify data by its security level,
such as public or confidential.
 Governance and regulatory compliance Tags enable you to
identify resources that align with governance or regulatory
compliance requirements, such as ISO 27001. Tags can also be
part of your standards enforcement efforts. For example, you
might require that all resources be tagged with an owner or
department name.
 Workload optimization and automation Tags can help you
visualize all of the resources that participate in complex
deployments. For example, you might tag a resource with its
associated workload or application name and use software
such as Azure DevOps to perform automated tasks on those
resources.
How do I manage resource tags?
You can add, modify, or delete resource tags through Windows
PowerShell, the Azure CLI, Azure Resource Manager templates, the
REST API, or the Azure portal.
You can use Azure Policy to enforce tagging rules and conventions.
For example, you can require that certain tags be added to new
resources as they're provisioned. You can also define rules that
reapply tags that have been removed. Tags aren’t inherited, meaning
that you can apply tags one level and not have those tags
automatically show up at a different level, allowing you to create
custom tagging schemas that change depending on the level
(resource, resource group, subscription, and so on).
An example tagging structure
A resource tag consists of a name and a value. You can assign one or
more tags to each Azure resource.
Name
Value

AppName

The name of the application that the resource is part of.

CostCenter

The internal cost center code.

Owner

The name of the business owner who's responsible for the resource.

Environment

An environment name, such as "Prod," "Dev," or "Test."

Impact

How important the resource is to business operations, such as "Mission-critical," "High-

impact," or "Low-impact."

Keep in mind that you don't need to enforce that a specific tag is present on all of
your resources. For example, you might decide that only mission-critical resources
have the Impact tag. All non-tagged resources would then not be considered as
mission-critical.

Module 2
Describe features and tools in
Azure for governance and
compliance
Azure Blueprints
Azure Blueprints lets you standardize cloud subscription or
environment deployments. Instead of having to configure
features like Azure Policy for each new subscription, with
Azure Blueprints you can define repeatable settings and
policies that are applied as new subscriptions are created.
What are artifacts?
Each component in the blueprint definition is known as an
artifact.
It is possible for artifacts to have no additional parameters
(configurations). An example is the Deploy threat detection
on SQL servers policy, which requires no additional
configuration.
Artifacts can also contain one or more parameters that you
can configure. The following screenshot shows the Allowed
locations policy. This policy includes a parameter that
specifies the allowed locations.
Azure Blueprints deploy a new environment based on all of
the requirements, settings, and configurations of the
associated artifacts. Artifacts can include things such as:
 Role assignments
 Policy assignments
 Azure Resource Manager templates
 Resource groups
How do Azure Blueprints help monitor deployments?
Azure Blueprints are version-able, allowing you to create an
initial configuration and then make updates later on and
assign a new version to the update. With versioning, you can
make small updates and keep track of which deployments
used which configuration set.

With Azure Blueprints, the relationship between the

blueprint definition (what should be deployed) and the
blueprint assignment (what was deployed) is preserved. In
other words, Azure creates a record that associates a
resource with the blueprint that defines it. This connection
helps you track and audit your deployments.

the purpose of Azure Policy

Azure Policy is a service in Azure that enables you to create,

assign, and manage policies that control or audit your
resources. These policies enforce different rules across your
resource configurations so that those configurations stay
compliant with corporate standards.
1. Azure Policies can be set at each level, enabling you to
set policies on a specific resource, resource group,
subscription, and so on.
2. Additionally, Azure Policies are inherited, so if you set a
policy at a high level, it will automatically be applied to
all of the groupings that fall within the parent. For
example, if you set an Azure Policy on a resource group,
 all resources created within that resource group will
automatically receive the same policy.
3. Azure Policy comes with built-in policy and initiative
definitions for Storage, Networking, Compute, Security
Center, and Monitoring. For example, if you define a
policy that allows only a certain size for the virtual
machines (VMs) to be used in your environment, that
policy is invoked when you create a new VM and
whenever you resize existing VMs. Azure Policy also
evaluates and monitors all current VMs in your
environment, including VMs that were created before
the policy was created.
4. In some cases, Azure Policy can automatically remediate
noncompliant resources and configurations to ensure
the integrity of the state of the resources. For example,
if all resources in a certain resource group should be
tagged with AppName tag and a value of
"SpecialOrders," Azure Policy will automatically apply
that tag if it is missing. However, you still retain full
control of your environment. If you have a specific
resource that you don’t want Azure Policy to
automatically fix, you can flag that resource as an
exception – and the policy won’t automatically fix that
resource.
5. Azure Policy also integrates with Azure DevOps by
applying any continuous integration and delivery
pipeline policies that pertain to the pre-deployment and
post-deployment phases of your applications.
What are Azure Policy initiatives?
An Azure Policy initiative is a way of grouping related policies
together. The initiative definition contains all of the policy
definitions to help track your compliance state for a larger
goal.

 For example, Azure Policy includes an initiative named

Enable Monitoring in Azure Security Center. Its goal is to
monitor all available security recommendations for all
Azure resource types in Azure Security Center.

Under this initiative, the following policy definitions are

included:

1. Monitor unencrypted SQL Database in Security Center

This policy monitors for unencrypted SQL databases and
servers.
2. Monitor OS vulnerabilities in Security Center This policy
monitors servers that don't satisfy the configured OS
vulnerability baseline.
3. Monitor missing Endpoint Protection in Security Center
This policy monitors for servers that don't have an
installed endpoint protection agent.
In fact, the Enable Monitoring in Azure Security Center
initiative contains over 100 separate policy definitions.

The resource locks

A resource lock prevents resources from being accidentally
deleted or changed.
1. Resource locks can be applied to individual resources,
resource groups, or even an entire subscription.
2. Resource locks are inherited, meaning that if you place a
resource lock on a resource group, all of the resources
within the resource group will also have the resource lock
applied.
Types of Resource Locks
There are two types of resource locks, one that prevents users from deleting
and one that prevents users from changing or deleting a resource.

1. Delete means authorized users can still read and modify a resource, but
they can't delete the resource.
2. ReadOnly means authorized users can read a resource, but they can't
delete or update the resource. Applying this lock is similar to restricting
all authorized users to the permissions granted by the Reader role.

the Service Trust portal

The Microsoft Service Trust Portal is a portal that provides

access to various content, tools, and other resources about
Microsoft security, privacy, and compliance practices.
The Service Trust Portal contains details about Microsoft's
implementation of controls and processes that protect our
cloud services and the customer data therein. To access
some of the resources on the Service Trust Portal, you must
sign in as an authenticated user with your Microsoft cloud
services account (Azure Active Directory organization
account). You'll need to review and accept the Microsoft
non-disclosure agreement for compliance materials.

Module 4
monitoring tools in Azure

Azure Advisor
1. Azure Advisor is designed to help you save time on cloud
optimization. The recommendation service includes suggested
actions you can take right away, postpone, or dismiss.
2. The recommendations are available via the Azure portal and
the API, and you can set up notifications to alert you to new
recommendations.
When you're in the Azure portal, the Advisor dashboard displays
personalized recommendations for all your subscriptions. You can
use filters to select recommendations for specific subscriptions,
resource groups, or services.
The recommendations are divided into five categories:

1. Reliability is used to ensure and improve the continuity of your

business-critical applications.
2. Security is used to detect threats and vulnerabilities that might
lead to security breaches.
3. Performance is used to improve the speed of your applications.
4. Operational Excellence is used to help you achieve process and
workflow efficiency, resource manageability, and deployment
best practices.
 5. Cost is used to optimize and reduce your overall Azure
spending.

Azure Service Health

Azure Service Health helps you keep track of Azure resource,
both your specifically deployed resources and the overall status
of Azure.
Azure service health does this by combining three different Azure services:

1. Azure Status is a broad picture of the status of Azure globally. It’s a good
reference for incidents with widespread impact.
2. Service Health provides a narrower view of Azure services and regions. It
focuses on the Azure services and regions you're using. This is the best
place to look for service impacting communications about outages,
planned maintenance activities, and other health advisories because the
authenticated Service Health experience knows which services and
resources you currently use. You can even set up Service Health alerts to
notify you when service issues, planned maintenance, or other changes
may affect the Azure services and regions you use.
3. Resource Health is a tailored view of your actual Azure resources. It
provides information about the health of your individual cloud
resources, such as a specific virtual machine instance. Using Azure
Monitor, you can also configure alerts to notify you of availability
changes to your cloud resources.
By using Azure status, Service health, and Resource health, Azure Service
Health gives you a complete view of your Azure environment-all the way from
the global status of Azure services and regions down to specific resources.
Additionally, historical alerts are stored and accessible for
later review. Something you initially thought was a simple
anomaly that turned into a trend, can readily be reviewed and
investigated thanks to the historical alerts.
Finally, in the event that a workload you’re running is
impacted by an event, Azure Service Health provides links to
support.
Azure Monitor
Azure Monitor is a platform for collecting data on your resources, analyzing
that data, visualizing the information, and even acting on the results. Azure
Monitor can monitor Azure resources, your on-premises resources, and even
multi-cloud resources like virtual machines hosted with a different cloud
provider.
The following diagram illustrates just how comprehensive Azure Monitor is:

On the left is a list of the sources of logging and metric data

that can be collected at every layer in your application
architecture, from application to operating system and network.
In the center, the logging and metric data are stored in central
repositories.
On the right, the data is used in several ways. You can view
real-time and historical performance across each layer of your
architecture or aggregated and detailed information. The data is
displayed at different levels for different audiences. You can
view high-level reports on the Azure Monitor Dashboard or create
custom views by using Power BI and Kusto queries.
Additionally, you can use the data to help you react to critical
events in real time, through alerts delivered to teams via SMS,
email, and so on. Or you can use thresholds to trigger
autoscaling functionality to scale to meet the demand.
Azure Log Analytics
Azure Log Analytics is the tool in the Azure portal where
you’ll write and run log queries on the data gathered by Azure
Monitor. Log Analytics is a robust tool that supports both
simple, complex queries, and data analysis.
Azure Monitor Alerts
Azure Monitor Alerts are an automated way to stay informed when
Azure Monitor detects a threshold being crossed. You set the
alert conditions, the notification actions, and then Azure
Monitor Alerts notifies when an alert is triggered. Depending on
your configuration, Azure Monitor Alerts can also attempt
corrective action.
Alerts can be set up to monitor the logs and trigger on certain
log events, or they can be set to monitor metrics and trigger
when certain metrics are crossed. For example, you could set a
metric-based alert up to notify you when the CPU usage on a
virtual machine exceeded 80%. Alert rules based on metrics
provide near real time alerts based on numeric values. Rules
based on logs allow for complex logic across data from multiple
sources.
Azure Monitor Alerts use action groups to configure who to
notify and what action to take.
 An action group is simply a collection of notification and
action preferences that you associate with one or multiple
alerts.
 Action groups are used by Azure Monitor, Service Health,
and Azure Advisor all use actions groups to notify you when
an alert has been triggered.
Application Insights
Application Insights, an Azure Monitor feature, monitors your
web applications. Application Insights is capable of monitoring
applications that are running in Azure, on-premises, or in a
different cloud environment.
There are two ways to configure Application Insights to help
monitor your application.
1. You can either install an SDK in your application,
2. or you can use the Application Insights agent. The
Application Insights agent is supported in C#.NET, VB.NET,
Java, JavaScript, Node.js, and Python.
Once Application Insights is up and running, you can use it to
monitor a broad array of information, such as:
 Request rates, response times, and failure rates
 Dependency rates, response times, and failure rates, to
show whether external services are slowing down performance
 Page views and load performance reported by users' browsers
 AJAX calls from web pages, including rates, response times,
and failure rates
 User and session counts
 Performance counters from Windows or Linux server machines,
such as CPU, memory, and network usage
Not only does Application Insights help you monitor the
performance of your application, but you can also configure it
to periodically send synthetic requests to your application,
allowing you to check the status and monitor your application
even during periods of low activity.