Recently I passed the Microsoft Azure Fundamental AZ-900 exam. I'm starting out learning Azure due to the customers I support and work with daily. The majority of my customers are government-based, and their options for cloud services are some variant of On-Premises or secured environments. Microsoft Azure solutions have an immediate presence within the government sector to the usage of Microsoft Office 365. Since this was my first Microsoft exam ever, I'm documenting my progress and notes as I learn this new technology.
My typical process for any exam is to review the vendor certification blueprint for Microsoft AZ-900. The exam blueprint options are the following:
Describe cloud concepts (20-25%)
Describe core Azure services (15-20%)
Describe core solutions and management tools on Azure (10-15%)
Describe general security and network security features (10-15%)
Describe identity, governance, privacy, and compliance features (15-20%)
Describe Azure cost management and Service Level Agreements (10-15%)
Based on the exam topics, I located all reference notes online at doc.microsoft.com and searched for Azure. I'm breaking the reference notes into two (2) blog posts for brevity purposes, including a separate appendix for URL links.
Azure Virtual Network is the customer's own isolated network within the Azure cloud environment.
Each virtual network is associated with one region.
Subnet information is used to isolate public resources from private resources within the Azure Virtual Network.
All subnets (Private or Public) within a single virtual network (VNet) can communicate.
Each VM within a Virtual Network is assigned a private IP address. The customer can give their public IP address as well.
Network peering is possible to connect resources in different Azure Virtual Networks (In different Azure regions as well).
Network Security Group (NSG) is an internal Firewall inside the Azure Virtual Network. The FW PERMIT/DENY traffic based on IP Address and Port Information. NSG can restrict traffic between resources, also allows Database access only to Web Servers from the outside world.
NSG is attached with subnet and network interface.
Azure Application Gateway can do URL-based routing. It is a web traffic load balancer that enables customers to manage traffic to their web application hosted in the Azure cloud.
Traditional Load balancer operates at the transport layer (OSI Layer 4 – TCP, UDP) to route traffic.
Azure Firewall is a managed, centralized network firewall-as-a-service (FaaS) and operates outside of the Azure Virtual Network.
One Azure Firewall can control traffic to multiple Azure Virtual Networks across multiple Azure subscriptions.
Web Application Firewall is tied with one web application to protect from Open Web Application Security OWAS (cross-site scripting, SQL injection).
Azure Express Route is a private and dedicated connection between Azure cloud and an on-premise data center. Azure Express Route gives high bandwidth and security features.
Azure Security Features
Azure Security Center is a threat management and protection feature within the Azure cloud environment.
Basic protection and security is free within the Azure cloud environment
Azure Defender is additional security that customers can use. This feature is provided at a cost by Azure. It provides threat protection for PaaS services.
Azure Sentinel is an intelligent security analytics service for the entire enterprise. It is a security information and event management (SIEM).
Azure Sentinel detects threats and responds very fast with the help of AI.
To store access secrets such as API Keys, passwords, Certificates customers can use the Azure Key Vault.
Microsoft defines Azure Key Vault as a safeguard cryptographic keys and others secrets used by cloud apps and services.
Azure AD Identity Management helps customers to manage identity and access available in the Azure cloud.
To synchronize on-premise Active Directory with Azure AD customers can use Azure AD Connect.
Azure AD MFA (Multi-factor Authentication) – Azure AD MFA uses any two of the given authentication options – With user ID and password, from a trusted device, also fingerprint or face recognition.
To enable Azure AD MFA, customers need to use Azure AD Identity protection.
If a customer is logging in from an unknown device or location, MFA will provide security features for what is called conditional access.
Conditional Access is one of the premium features in Azure AD that comes with P1 and P2 licenses.
We can change the default directory in Azure, but this will not change billing ownership.
A single subscription can be connected to one Azure AD directory. Customers can associate multiple subscriptions to one Azure AD directory.
RBAC stands for Role-based access control.
When an Azure subscription expires, the associated Azure AD tenant is not deleted, customers have the option to associate this is a different subscription at a later time.
Azure Management Tools
Azure Advisor is a tool for recommendation to improve reliability, security, and performance to achieve great service at a reduced cost. The tool optimizes VMs by applying auto-scaling which reduces cost.
Azure Monitor is another tool that collects and analyzes logs and metrics. It is used to track events at the resource level. Azure Monitor can monitor resources across multiple subscriptions that help to identify issues and send alerts. It can monitor the on-premise environment as well.
Application Insight – Azure monitor service used to monitor/ diagnose application-related issues.
VM Insight – Monitor the health of VM and scale set.
Container Insight – To monitor containers available in your subscription.
Log Analytics – Azure monitor service to send SMS, Emails based on logs and metrics.
Azure Service Health is a personalized dashboard for receiving notifications, guidance, and technical support when Azure service issues updates, or planned maintenance that affect your Azure resources.
Visit status.azure.com to check the status of the Azure health region.
Azure Service Health tells customers which services can be decommissioned.
Azure Service Level Agreement (SLA)
Service Level Agreement is the legal agreement between the Azure Cloud service provider and the customer.
Azure gives a service credit in case it doesn't meet the agreed SLA. If < 99.95 % then 10 % amount is credited, If < 99 % then 25 % amount is credited. The customer is responsible to request SLA credit when impacted.
Monthly uptime % = (Maximum Available Minutes – Downtime)/(Maximum Available Minutes) * 100
Azure Service Lifecycle follows three phases: Private, Public, and General services.
Private Preview – Used for evaluation purpose release for a specific customer. The customer has to apply for Private Preview Service.
Public Preview – Available to all the Azure customers and has no defined SLA. Not recommended for production or any critical business application.
General Availability – Available for all Azure customers and follows SLA.
Azure Compliance, Privacy, and Governance
Microsoft Azure policies assure that resources are compliant with defined standards and SLA. Azure Policy allows customers to manage compliance of resources across multiple Azure subscriptions.
You can create a group of policies; it is called Initiative.
Azure provides some predefined initiatives – United Kingdom Official, HIPAA, PCI-DSS, etc.
Within the dashboard, customers can view the overall compliance of a specific resource or policy.
If you want to prevent a specific size of VM, then you can apply a policy that will prevent this action.
Azure Blueprints is the combination of one or more Policy, Role, ARM Template, Resource Group.
The resource lock feature is used to prevent accidental deletion or modification of resources.
There are 2 types of resource lock: Read Only and Delete Lock.
Read-Only Lock – Customers can read but they can't modify or delete the resource.
Delete Lock – Customers can read, modify but they can't delete it.
You can apply multiple locks on a resource.
Resource Lock can be applied to subscriptions, resource groups, or resources.
Resources inherit Azure lock from subscription and resource group.
Azure compliance makes sure that customers follow industry and security standards.
Service Trust Portal allows you to check standards and regulations.
Azure Cost Management
Capital Expenditure (CapEx) – Is money spent on the maintenance of infrastructure. An example is a customer paying for the lease of software within a physical data center.
Operation Expenditure (OpEx) – Money spent to consume a service or product. An example is Azure Functions, Azure VM Provisioning
Azure Function is the best example of a Consumption-based price model.
Fixed Price Model – The customer is charged for several instances and doesn't matter whether the resource is being used or not. An example would be Azure App Service or the Azure VM.
Total Cost of Ownership (TCO) is used to estimate the cost savings the customer calculates after migrating workloads to Azure.
Pricing Calculator is used to estimate the cost of Azure services that you are planning to use.
Inbound data from on-premise to Azure is free.
Outbound traffic from Azure to on-premise is not free.
Data traffic between Azure services in the same region or Availability zone is free.
Azure Internet of Things (IoT), Big Data, AI, and Machine Learning
Azure IoT Hub is used to manage messaging hubs for IoT-enabled devices. Sends reports programmatically.
Azure IoT Central – This is the IoT hub with dashboard features. Sends reports with User Interface (UI) instead of configuration programming.
Azure Sphere – It provides comprehensive solutions for IoT devices with high security. Useful in voting machines, ATMs, Point of Sale Devices where high security is needed.
Big Data Solution – For the end-to-end analytic solutions of Big data to run complex queries, customers can use Azure Synapse Analytics.
Azure HDInsight – Hadoop-based open-source analytic services, compatible with Apache Hadoop, Spark, Hive.
Azure Databricks – It's an Apache Spark-based analytics service.
Talking with humans through an AI system uses the Azure Bot service.
Azure Cognitive service is a pre-built Machine Learning that is used for Language service, Vision service, Text to speech service.
Microsoft Azure DevOps helps in Continuous Integration, Continuous Deployment (CI/CD)
Uses private source control to manage source code with versions.
Azure DevTest Lab – Allows customers to create environments using reusable templates and artifacts quickly. Also allows for the creation of a Windows and Linux testing environment and with Azure DevTest Lab, customers can create automated shutdowns to minimize the cost options.
Azure Resource Manager (ARM) is used to implement infrastructure as a code within Azure. ARM templates use JSON-based files which define the infrastructure and related configuration. For example, customers can create VMs and SQL Database of their required configuration from the Azure portal. If there's a similar request to create the same environment, customers can use an ARM template with the same JSON files quickly.
The next post will be the rest of my Azure study notes and URL link resource. After the holidays I will start studying for the Azure Administrator exam AZ-104 and post progress and messages here. If you have any questions or comments, feel free to leave a comment. I am always looking for new helpful content, so please reach out to me using the comment section if you have any ideas for articles or videos.