This article is an important AZ 900
notes for those who are preparing for AZ-900 exam.
Azure
Regions and Availability Zones
In
this section, we will look into Azure Regions, Zones and availability.
- Azure
Provides 60+ regions around the globe.
- Regions
are geographical locations.
- Deploy
your services to multiple regions which will give High Availability, Low
Latency, and Geographical reach.
- Azure
provides multiple Availability zones in a single Azure region.
- Each
Availability Zone is one or more data center, and they have their own
network connectivity and power resources.
- The
Availability Zone in a region is connected with a low latency link.
- Availability
Zones help to achieve high availability with low latency in the same
region.
- Not
all Azure regions have Availability Zones.
- Some
of the availability Zones available in Azure regions
- East
US - 3, West Europe - 3, Southeast Asia - 3, West Central US - 0
Subscription,
Resource Groups, Management Groups and Tags
- Resource
Group is the group of resources like Virtual Machine, Database etc.
- One
resource group is associated with one Azure subscription.
- Azure
resource hierarchy - Management Groups -> Azure Subscription ->
Resource Group -> Resources
- One
resource can be associated with only one resource group.
- A
resource group can contain resources from multiple Azure regions.
- Resource
groups are offered by Azure at no cost, we only pay for resources and not
for resource groups.
- Permission
applied to a resource group is automatically applied to resources
available in that resource group.
- To
manage cost and billing for the different departments within your
organization, create different subscriptions.
- You
cannot merge two subscriptions into one, however, you can move a resource
from one subscription to another.
- In
case a subscription is expired, you cannot create a resource, but data can
be accessed.
- Tags
are used to identify applications, resources, and environments for
tracking and reporting purposes.
- It
helps us to categorize the resources in Azure. Tags are not automatically
inherited from the resource group to available resources within it.
Virtual
Machines, Availability Set and Scale Set
- We
deploy software or any application in the cloud on a Virtual Machine.
- A
Virtual Machine with a premium SSD or Ultra disk will give 99.9 % SLA
- Virtual
Machine with standard SSD disk will give 99.5 % SLA
- A
standard HDD disk VM will give 95 % SLA
- 2
virtual machines in the same availability set give you 99.95% availability
- An
availability set is a logical grouping of Virtual Machines.
- Azure
provides 2 types of Availability sets. Fault Domain and Updated Domain
- Fault
Domain - A group of virtual machines which share common network
connectivity and power supply.
- Updated
Domain - This logical group get restarted at the same time. All the
maintenance happens in this group at the same time.
- Distributing
VMs across multiple fault domains will increase availability.
- Creating
multiple instances in 2 or more Availability Zones in same Azure region
gives you 99.99% of availability.
- Virtual
Machine Scale Set (VM Scale Set) allows you to create and manage a group
of Azure Virtual Machines.
- VM
Scale Set allows auto and manual scaling.
- A
single scale set can allow up to 1000 VM instances.
- Auto-scaling
in VM Scale Set can be configured based on CPU threshold, memory
utilization etc.
- VM
Scale Set creates a private IP address by default.
- Public
IP addresses are chargeable.
- There
are 2 types of scaling - Vertical Scaling and Horizontal Scaling
- Vertical
Scaling - Increase the available hardware capacity eg Increasing RAM size.
- Horizontal
Scaling - This allows for an increase in the instance of the number of
Virtual Machines.
- 2
VMs of the same size can cost differently because they vary with time and
region.
IaaS,
PaaS, SaaS and Containers
Detailed
article available here - Azure Compute Services (IaaS, PaaS)
- IaaS
(Infrastructure As A Service)- A cloud model which allows us to manage
infrastructure from a Cloud service provider. In this cloud model, we are
responsible for managing Virtual Machine, Database, OS, Load Balancer etc.
With software, we have to manage underlying hardware as well.
- PaaS
(Platform As A Service) - We are responsible only for our application
deployment and related configuration. No need to worry about the
underlying hardware. Azure App Service, Azure Container, and Azure Cosmos
DB are examples of the PaaS models. In PaaS model, we can configure
hardware needs and can configure for auto-scaling needs.
- SaaS
(Software as a service) - We are responsible for using applications and
not for deployment and maintenance. Google Docs, Office 365, and Dropbox
are examples of SaaS models.
- Azure
Containers are used to virtualize the software. We don’t need to manage
any Virtual Machines.
- We
can deploy the microservice-based applications to Azure with the help of
Azure Containers.
- Azure
Containers create a docker image for each microservice based on
requirement. For eg - you can create a docker image for Windows + .NET and
another image for Linux + PHP
- Azure
offers Azure Service Fabric and Kubernetes for container orchestration.
- Kubernetes
is a popular open-source container orchestration tool.
- Azure
Service Fabric is a container orchestration tool which runs on the Azure
cloud only.
Public
Cloud, Private Cloud and Hybrid Cloud
- The
public cloud allows you to host and deploy applications in the cloud with
no data centre available on-premise. No Capital expenditure (CapEx)
required, Pay as you go, underlying hardware maintained by Azure, hardware
resources shared among multiple tenants.
- Private
Cloud - It allows you to host and deploy everything within your own data
centre. It needs Capital Expenditure, staff, and maintenance. Private
Cloud provides a high level of security and privacy.
- Hybrid
Cloud - It is the combination of Public and Private. For Example, an
Application server is in an on-premise data centre and the database is in
the Azure cloud.
Serverless,
Azure Functions and Logic Apps
- Serverless
doesn't mean "No Server", it simply means no need to focus on server and
related entities., it also means zero visibility of servers.
- In
Serverless, no request = no cost.
- Azure
function is an example of Serverless computing.
- The
Azure function allows you to pay for the number of requests raised and
memory utilization. It supports all the major programming languages such
as C#, Python, Java, TypeScript etc.
- To
create Azure Function in Azure, search for Function App in Azure search
bar.
- While
creating Azure Function in Azure portal, just select the runtime (.Net,
Java etc.) and select for things like availability set and availability
zones are not available because it is not managed by us.
- Azure
Functions are auto-scalable.
- Logic
App is a serverless orchestration service in Azure. It is a no-code (or
low code) solution and mostly works with GUI.
- Logic
App can be useful to trigger events on a specific action such as sending
an email.
- Azure
offers in-built templates to create Logic Apps.
Azure
Storage
Article
available here - Azure
Storage
- Azure
offers File Storage (Azure Files), Block Storage (Azure Disk) and Object
Storage (Blob Storage).
- File
storage can be shared between multiple Virtual Machines.
- Azure
offers following data redundancy - LRS, ZRS, GRS, GZRS
- LRS
(Locally Redundant Storage) - Sync 3 copies in the same data centre, less
expensive and with the least availability
- ZRS
(Zone Redundant Storage) - Sync 3 copies in 3 Availability Zones in the
primary region.
- GRS
(Geo Redundant Storage) - It is LRS + Async copy to the secondary region.
- GZRS
(Geo Zone Redundant Storage) - ZRS + Async copy of data to secondary
region. It is the most expensive and provides high availability.
- Azure
Disk with standard HDD is recommended for backup storage.
- Standard
SSD is recommended for lightweight applications.
- Azure
Disk with premium/ Ultra SSD is recommended for production uses.
- Blob
storage allows to the storage of huge unstructured data.
Azure
Database
Microsoft
Azure offers fully managed relational, NoSQL and in-memory databases for
various uses.
Details
article, available here - Azure
Database
Azure Database
|
Purpose
|
Azure SQL Database
|
Managed Intelligent SQL in Azure & always
up-to-date SQL instance. Gives 99.99 % availability
|
Azure Database for PostgreSQL
|
Build scalable, secure and fully managed
enterprise-ready apps on open-source PostgreSQL
|
Azure My SQL
|
Deliver high availability to open-source
mobile and web apps with a managed community MySQL database service
|
Azure Maria DB
|
Deliver high availability to open-source
mobile and web apps with a managed community Maria database service
|
Azure Cosmos DB
|
Build applications with guaranteed low latency and
high availability anywhere, at any scale or migrate Cassandra, MongoDB and
other NoSQL tasks to the cloud
|
Azure Cache for Redis
|
Power fast, scalable applications with an
open-source-compatible in-memory datastore
|
Azure Synapse Analytics
|
Database for Analytics
|
Microsoft
Azure Cosmos DB provides low latency and can offer sub-5-MS response time.
Azure
Networking
- Azure
Virtual Network is your own isolated network in the Azure cloud, it is
like LAN on your on-premise.
- Each
virtual network is associated with1 region.
- A
subnet is used to isolate public resources from private resources within
Azure Virtual Network.
- All
subnets (Private or Public) in a single virtual network (VNet) can
communicate with each other.
- Each
VM in a Virtual Network is assigned a private IP address. However, we can
assign a public IP address as well.
- Network
peering is possible to connect resources in different Azure Virtual
Networks (In different Azure regions as well).
- Network
Security Group (NSG) is an internal Firewall inside Azure Virtual Network.
It allows/blocks traffic based on IP address and Port. NSG can restrict
traffic between resources, it can allow Database access only to Web
Servers from the outside world.
- NSG
is attached with subnet and network interface.
- Azure
Application Gateway can do URL-based routing. It is a web traffic load
balancer which enables us to manage traffic to our web application hosted
in the Azure cloud.
- Traditional
Load balancer operates at the transport layer (OSI Layer 4 - TCP, UDP) to
route traffic.
- Azure
Firewall is a managed, centralized network firewall-as-a-service, it is
outside of Azure Virtual Network.
- Allowed
in-traffic will automatically pass out-traffic in Azure Firewall.
- One
Azure Firewall can control traffic to multiple Azure Virtual Networks
across multiple Azure subscriptions.
- Web
Application Firewall is tied with one web application to protect from OWAS
(cross-side scripting, SQL injection etc)
- Azure
Express Route is a private and dedicated connection between Azure cloud
and an on-premise data centre. It gives high bandwidth with high security.
Article
available here - Networking
in Azure
Azure
Security
- Azure
Security Center is a threat management and protection feature for the
Azure cloud. It provides the security score to improve security by adding
more security features.
- Basic
protection and security are free in the Azure cloud.
- Azure
Defender is additional security that you can enable. It is a costly
feature by Azure. It provides threat protection for PaaS services.
- Azure
Sentinel is an intelligent security analytics service for the entire
enterprise. It is a security information and event management (SIEM).
- Azure
Sentinel detect threats and respond very fast with the help of AI.
- To
store access secrets such as API Keys, passwords, and Certificates we can
use Azure Key Vault.
- Official
definition by Microsoft - Azure Key Vault is a safeguard cryptographic
keys and other secrets used by cloud apps and services.
- Azure
AD Identity Management helps us to manage identity and access available in
Azure cloud.
- To
synchronize on-premise Active Directory with Azure AD we can use Azure AD
Connect.
- Azure
AD MFA (Multi-factor Authentication) - Azure AD MFA uses any 2 of the
given authentication options - With user id and password, From a trusted
device, Fingerprint or face recognition.
- To
enable Azure AD MFA, you need to use Azure AD Identity protection.
- If
a user is logging in from an unknown device or location, then mandate the
MFA to provide security, this is called conditional access.
- Conditional
Access is one of the premium features in Azure AD that comes with P1 and
P2 licenses.
- We
can change default directory in Azure, but this will not change billing
ownership.
- One
subscription can be connected to one Azure AD directory. You can associate
multiple subscriptions to one Azure AD directory.
- RABC
stands for Role based access control.
- When
an Azure subscription expires, the associated Azure AD tenant is not
deleted, later you can associate this to a different subscription.
Article
available here - Security
and Identity Management
Azure
Management Tools
- Azure
Advisor is a tool for recommendation to improve reliability, security and
performance to achieve great service at a reduced cost. It recommends
optimizing VM by applying auto-scaling which can reduce the cost.
- Azure
Monitor is another tool which collects and analyzes logs and metrics. It
is used to track events at the resource level. Azure Monitor can monitor
resources across multiple subscriptions helps to identify issues and send
alerts. It can monitor the on-premise environments as well.
- Application
Insight - Azure monitor service to monitor/ diagnose application-related
issues,
- VM
Insight - Monitor health of VM and scale set,
- Container
Insight -To monitor containers available in your subscription.
- Log
Analytics - Azure monitor service to send SMS, Email based on log and
metrics.
- Azure
Service Health is a personalized dashboard for receiving notifications,
guidance, and technical support when Azure service issues, updates, or
planned maintenance affect your Azure resources.
- Visit
status.azure.com go know the Azure health region-wise.
- Azure
Service Health also tells about an Azure service which will be
decommissioned.
Azure
Service Level Agreement (SLA)
- SLA
stands for Service Level Agreement. It is a formal agreement between the
service provider and the customer.
- Azure
gives a service credit in case it doesn’t meet the agreed SLA. If <
99.95 % then 10 % amount is credited, If < 99 % then 25 % amount is
credited. You need to submit the Sla credit request to get service credit.
- Monthly
uptime % = (Maximum Available Minutes - Down time)/(Maximum Available
Minutes) * 100
- Azure
Service Lifecycle follows 3 phases - Private Preview - It is an evaluation
purpose release for a specific customer. You need to apply to using Private
Preview. This release does not follow any SLA. Public Preview - It is
available to all the Azure customers and it also has no defined SLA.
Public Preview is not recommended for production or any critical business
application. General Availability - This release is available to all
customers and follows SLA as well.
Article
available here - Azure Service Level Agreement (SLA)
Azure
Compliance, Privacy and Governance
- Microsoft
Azure policies assure that resources follow compliant with defined
standards and SLA. Azure Policy allows you to manage compliance of
resources across multiple Azure subscriptions.
- You
can create a group of policies; it is called Initiative.
- Azure
provides some predefined initiatives - UK Official, HIPAA, PCI-DSS etc.
- In
the Compliance dashboard, you can view the overall compliance of a
specific resource or policy.
- If
you want to prevent a specific size of VM, then you can apply policy which
will prevent this action.
- Azure
Blueprints is the combination of one or more Policy, Role, ARM Template,
and Resource Group.
- The
resource Lock feature is used to prevent from accidental deletion or
modification of resources.
- There
are 2 types of resource locks.
- Read
Only Lock - Users can read but they can’t modify or delete the resource.
- Delete
Lock - Users can read, and modify but they can’t delete it.
- You
can apply multiple locks on a resource.
- Resource
Lock can be applied to subscription, resource groups or resources.
- Resources
inherits Azure lock from subscription and resource group.
- Azure
compliance makes sure that you follow industry and security standards.
- Service
Trust Portal allows you to check standards and regulations.
- GDPR
(General Data Protection Regulation) is introduced to provide security to
personal data for the people in Europe.
- RBI
and IRDAI (India) - The Reserve Bank of India (RBI), the Insurance
Regulatory and Development Authority of India (IRDAI), and the Ministry of
Electronics and Information Technology (MeitY) comprise three of the key
financial industry regulators overseeing banks, insurance organizations,
and market infrastructure institutions.
- Azure
Government can be used by US government employees, entities and
contractor.
- Azure
China is not operated by Microsoft, 21ViaNet company operates Azure in
China and they follow China Telecommunication Regulation.
Article
available here - Compliance, Privacy and Governance
Azure
Cost Management
- Capital
Expenditure (CapEx) - The money spend to buy infrastructure and cost to
maintain the infrastructure. Example - Paying of software on lease,
Physical data centre.
- Operation
Expenditure (OpEx) - Money spent to consume a service or product. Example
- Azure Functions, Azure VM Provisioning
- Azure
Function is the best example for Consumption based price model.
- Fixed
Price Model - You are charged for the number of instances doesn’t matter
whether the resource is being used or not. Example - Azure App Service,
Azure VM
- TCO
or Total Cost of Ownership is used to estimate the cost savings you
calculate after migrating your workloads to Azure.
- The
pricing Calculator is to estimate the cost of Azure services that you are
planning to use.
- In-bound
data from on-premises to Azure is free.
- Outbound
traffic from Azure to on-premise is not free.
- Data
traffic between Azure services in the same region or Availability zone is
free.
Article
available here - Azure Cost Management
Azure
IoT, Big Data, AI and Machine Learning
- Azure
IoT Hub is used to manage message hubs for IoT-enabled devices. Allows you
to present reports programmatically.
- Azure
IoT Central - It is an IoT hub with a dashboard. It represents reports
with UI instead of programming.
- Azure
Sphere - It provides comprehensive solutions for IoT devices with high
security. It is useful in voting machines, ATMs, and Point of Sale Device
where high security is needed.
- Big
Data Solution - For end-to-end analytic solution of Big data to run
complex queries we can use Azure Synapse Analytics; it is earlier known as
Azure SQL Data Warehouse.
- Azure
HDInsight-Hadoop based open source analytic service. Compatible with
Apache Hadoop, Spark, Hive.
- Azure
Databricks - It is an Apache Spark-based analytics service.
- Talk
with humans through an AI system, uses Azure Bot service.
- Azure
Cognitive service is a pre-built Machine Learning that is used for
Language service, Vision service, and Text to speech service.
Article
available here - Azure IoT, Big Data and Machine Learning
Azure
DevOps
- Microsoft
Azure DevOps helps in Continuous integration, Continuous Deployment and
Continuous Integration.
- It
is a private source control to manage source code with versions.
- Azure
DevTest Lab - This allows you to Quickly create environments using
reusable templates and artefacts. It allows you to create Windows and
Linux environments quickly, with Azure DevTest Lab you can set an
automated shutdown to minimize the cost.
- ARM
(Azure Resource Manager) Template is a to implement Infrastructure as a
code in Azure. An ARM template is a JSON-based file which defines the
infrastructure and related configuration. For example - You can create a
VM and SQL Database of your required configuration from the Azure portal
if you have been asked to create the same environment you have to repeat
the same steps instead of doing that you can create ARM Template and
create an environment with same JSON file quickly.
Ref: https://www.sharepointcafe.net/2021/08/exam-az-900-notes.html