🥒
Dill's Knowledge Base
  • Hello World
  • 💻SQL
    • ❌Error Handling
    • 🧀Parameter Sniffing
      • Indexes
      • Query Hints
      • RECOMPILE
      • Branching
      • Memory Grants
      • Summary
      • Bonus
    • SQL Server Buffer Pool
  • 🖱️MongoDB
    • Instructor Led Training
      • DF100
      • DF200
      • DF300
      • DF400
    • MongoDB DBA University
      • DBA Admin Tools
      • DBA Basics
      • Metrics & Monitoring
  • 💻Web Design
    • Oxygen Tips
    • Bricks Builder
      • Tips
      • Discovery Call
      • Utility vs Custom Classes
      • Math Functions
      • Static vs Relative Units
  • Azure
    • AZ-900
      • Benefit of Cloud Computing
      • CapEx, OpEx and Consumption-based
      • Differences Between Cloud Service Categories
      • Identify The Right Service Type
      • Differences Between Types of Cloud Computing
      • Reliability and Predictability
      • Regions and Region Pairs
      • Availability Zones
      • Resource Groups
      • Subscriptions
      • Management Groups
      • Azure Resource Manager
      • Azure ARC
      • Resources Required for VM
      • Benefits and Usage of Core Compute Resources
      • Benefits and Usage of Core Network Resources
      • Public/Private Endpoints
      • Benefits and Usage of Storage Accounts
      • Benefits and Usage of Database Resources
      • Data Movement and Migration Options
      • Benefits and Usage of IoT Services
      • Benefits and Usage of Big Data and Analytics Services
      • Benefits and Usage of AI Services
      • Benefits and Usage of Serverless Technologies
      • Benefits and Usage of DevOps Technologies
      • Functionality of Azure Management Solutions
      • Functionality and Usage of Azure Advisor
      • Functionality and Usage of ARM Templates
      • Functionality and Usage of Azure Monitor
      • Functionality and Usage of Azure Service Health
      • Functionality of Microsoft Defender for Cloud
      • Functionality and Usage of Key Vault
      • Functionality and Usage of Microsoft Sentinel
      • Azure Dedicated Host
      • Defense in Depth
      • Describe the Concept of Zero Trust
      • Functionality and Usage of NSGs
      • Functionality and Usage of Azure Firewall
      • Functionality and Usage of Azure DDoS Protection
      • Explain Authentication and Authorization
      • Functionality and Usage of Azure AD
      • Microsoft Entra Overview
      • Functionality of Conditional Access, MFA and SSO
      • Functionality and Usage of RBAC
      • Functionality and Usage of Resource Locks
      • Functionality and Usage of Tags
      • Functionality and Usage of Azure Policy
      • Governance Hierarchy Constructs
      • Azure Blueprints
      • Describe Microsoft Privacy Statement, OST and DPA
      • Purpose of Trust Center and Azure Compliance Documentation
      • Purpose of Azure Sovereign Regions
      • Factors That Affect Costs
      • Factors to Reduce Cost
      • Functionality and Usage of Azure Cost Management
      • Purpose of Service Level Agreements
    • DP-900
      • Study Cram
    • DP-300
      • Deploy IaaS Soluton with Azure SQL
  • 📦Kubernetes
    • Udemy: Kubernetes for Beginners
Powered by GitBook
On this page
  1. Azure

AZ-900

Below page is the study "cram" by John Savill for the AZ900.

PreviousStatic vs Relative UnitsNextBenefit of Cloud Computing

Last updated 2 years ago

Source:

Capital Expenditure vs Operational Expenditure

  • on-prem you pay for everything upfront, but in the cloud you pay for capacity based on what you use

IaaS = Full access to OS, but removes networking, compute, storage, etc

PaaS = Unlike IaaS, with PaaS you are only responsible for your app and data

SaaS = Everything is provided

Regions

  • Each region (e.g. east-us, west-us) will have multiple physical buildings that are relatively close together, but have separate cooling/networking/power/etc (Availability Zone)

    • For each subscription, you will have 3 availability zones, but if you have a second subscription then you might have 3 different availability zones (AKA 3 different buildings within the same region)

    • Zone redundant means that the service spans the availability zones. Some services are done automatically for you with a simple checkbox while other services have to be pinned to each individual zones manually (e.g. a VM has to be created and applied to each AZ manually)

  • Close to customers, regulatory reasons, disaster recovery from natural disasters are all reasons for having multiple regions

  • Availability Set is when your resources are on different racks within the same AZ

Azure AD

  • Cloud IDP (Identity Provider) contains users, groups, devices, applications, etc

  • OIDC, SAML, WSFED, OAUTH2

  • Authentication (OIDC, SAML, WSFED or MFA which involves any 2 of the previous) means proving who I am via something I know like a password/pin or something I have like a token/cellphone or something I am like a biometric

  • Authorization (RBAC: Role based access control) is what scope of permissions you fall into once authenticated. This involves a certain level of permissions at a particular scope (owner, reader, contributor, etc)

    • Policies are guardrails assigning what a user is allowed to do, but can also be used for auditing purposes

  • A lot of companies will already have an on-prem AD, which can be synced to azure with AAD Connect, which then enables SSO (seamless sign-on) allowing the user to seamlessly access Azure resources once connected on-prem

  • Management Groups can be used to further control access

    • RBAC, Policy, and budget can be applied to each management group, which can filter down to a subscription

  • A subscription is essentially a billing boundary

    • Once again, RBAC, Policy and budget can be applied to a subscription

  • Resources get created in a resource group, which is nested inside a subscription (note: RGs can not be nested)

    • Once again, RBAC, Policy and budget can be applied to a resource group

    • Resource groups do not limit connectivity

    • RGs should have a common lifecycle so that everything is created and destroyed as a group

  • Azure Resource Manager (ARM)

    • Used to simplify the provisioning of resources. The portal, mobile app, AZ CLI, and PoshAZ module all use ARM

      • John Savill says that the portal is good for looking at what's available, but for provisioning actual resources it should be avoided because it is subject to change

      • ARM JSON templates are declarative/idempotent where you declare the end state and make provisioning significantly easier

        • Terraform is a 3rd party product that allows you to more easily create ARM templates

    • Resource Locks can prevent a user from deleting a resource

    • Tags can be applied in a key:value format, which is essentially just metadata

      • Tags do NOT get inherited

    • Blueprint

      • Comprised of artifcats (policies, ARM template, RGs, and roles) allow for reusability and consistency

Resources

  • VMs have memory, vcpus, network, IOps

    • SKUs are like pre-packaged VMs that are setup with similar ratios

      • "Memory optimized" or "general purpose"

    • VM Scale Set

      • Pick a certain template for the disk, a certain configuration, and assign the auto scale values, which creates and deletes VMs behind-the-scenes based on what you set

    • Azure Dedicated Host

      • By default, the cloud is multi-tenant, but you can pay Microsoft for a dedicated host of a particular SKU that you can then use to create multiple VMs of the same SKU type, but they can also be different in size

    • Azure Batch will allow you to do large scale executions where it will provision the necessary resources for a specific job

    • Container Host

      • The VM already exists, but there are multiple sandboxes under the same OS

      • Allows the user to quickly run containers against a specific sandbox that will spin up much faster than an entire VM since the VM already exists

      • These are multi-tenant, but there is still isolation from your neighbor despite being on the same VM

    • Azure Container Instance

      • Runs on it's own instance separated from other tenants

      • there are VNETs and public endpoints

    • Azure Kubernetes Service

      • This will spin up a node pool, which utilizes VM scale sets

    • Azure App Service

      • Webapp service, API, mobile

  • All of the above are PaaS, but there are still underlying VMs

    • Serverless.. you pay for the work it actually does

      • Event-driven

      • Azure Functions

        • Running code from various languages

      • Azure Logic Apps

        • No or low code

  • Azure Virtual Desktop

    • self-explanatory

Azure Key Vault

  • Secrets, keys, and certs

  • RBAC can control on an individual secret level

    • You can give the identity of an app service access to a specific secret, which then provides access to something else

      • i.e. an app service can only ever be itself and nobody can imitate that app service

Networking

  • With a subscription, you can use multiple regions, but a vnet exists within a certain region/subscription.. it cannot span multiple

  • Under this a vnet is created and is defined at minimum by 1:m ipv4 address ranges

    • RFC 1918 or 192.168.16 will never be routed over the internet

  • When picking an ip range, you need to make sure it doesn't conflict with anything else you might have such as on-prem network

    • You can optionally add ipv6 ranges on top of ipv4

  • Within the vnet, you can create virtual subnets which also have an ip range

    • A subnet can span all the availability zones within a region

  • site-to-site vpn is encrypted over the internet

    • policy allows for 1 connection and is considered legacy

    • route-based allows for n number of connections as well as point to site which means you can setup connection to a single machineExpress Route gateway

  • Express Route

    • not over the internet

    • private peering

  • Network Security Group

    • built around a series of properties

      • Protocol, src/dest port, src/dest IP, name/desc, allow/deny, Service Tags, Application Security Group (e.g. if this NIC is applied with the tag "SQL" then apply these rules)

      • These are then linked to subnets

  • Azure Firewall

    • A storage account might have its' own firewall

    • you might have a vnet with a subnet and you want to be able to connect to that storage account

    • you might create a service endpoint and then configure the firewall to allow that subnet service to connect

    • If you have a second storage account that you want to be able to use from other networks.. you might have a private endpoint, which is an ip address in the subnet that is given permissions to communicate with the storage account

    • Basic and standard DDoS protection

      • You can create a standard plan and then link it to multiple VNETs

      • The basic plan is free

Storage Account

  • Lives in a region and has a certain redundancy

  • Locally Redundant Storage (LRS) - Spread across a single AZ in a single region

  • Zone Redundant Storage (ZRS) - Spread across 3 AZs in a single region

  • Geo Redundant Storage (GRS) - Spread across a single AZ in multiple regions

    • Paired asynchronously to remote region

  • Geo Zone Redundant Storage (GZRS) - Spread across 3 AZs in primary region and paired region

    • Paired asynchronously to remote region

  • Blob

    • Block - stored in containers and they are flat (no true folders or directory)

      • You can ADLS gen 2 on top

    • Page - good for read/write

      • Disks

        • STD HDD

        • STD SSD

        • Premium SSD - requires "s" version of VM

        • Ultra Disk - requires "s" version of VM

    • Append - good for logging

  • Files

    • SMB or NFS Shares

    • Azure File Sync would allow you to sync on-prem file servers to that cloud share

  • Tables

    • Key:Value schemaless storage

  • Queue

    • FIFO

  • Hot/Cool/Archive (offline) storage

    • Lifecycle management helps move data between storage levels and or delete it

Databases

  • Azure SQL Database (PaaS)

    • Hyperscale, Serverless, Regular, Standard, Business Critical

  • Azure SQL Managed Instance (MI)

    • Compatibility

  • Postgresql

  • mySQL

  • CosmosDB

    • Multiple models

      • Cassandra, graph, etc

      • Typically you have a single read/write and multiple read replicas, but with CosmosDB you get to pick the consistency

        • Strong, bounded staleness, session, etc

  • IoT

    • Azure IoT Hub

      • Register devices known to this service

      • Exposes SDKs that can then be used in your apps to get information

    • Azure IoT Central

      • Sits on top of Hub, but adds dashboards

Data Service

  • ADLS Gen 2 sits on top of blob

  • Azure Data Factory is the orchestration tool

    • For transformation, HDInsight hooks into open-source frameworks such as Hadoop, Spark, Kafka

      • There is also databricks, which is fully managed and built off of Apache Spark

  • Azure Synapse Analytics

    • Brings everything into a single workspace, but it uses the above components behind-the-scenes

AI Services

  • Azure Machine Learning

    • Platform for predicting that uses your data, models, etc

  • Azure Cognitive Services

    • Prebuilt models for vision, language, speech, etc

  • Azure Bot Service

DevOps

  • Azure Devops

    • Repos, boards, pipelines, artifacts, test plans

  • Github

    • Repos, actions, projects

Costs

  • Is it running? How many? Serverless? Storing data? Capacity? Transactions?

    • Deallocate, autoscale, tear down RGs

  • Azure Advisor

  • Azure Reservations

    • If you commit to microsoft for 1-2-3 years then you will get a discount for that resource

  • Hybrid Use Benefit

    • e.g. SQL Licensing

  • Azure Spot VMs

    • Microsoft doesn't want idle VMs just sitting around, but at the same time they need capacity for customers who want to provision a lot of resources all at once

    • You can use a Spot VM that has a % chance of evicting you if another customer needs the capacity, but it will be resumed after the fact

      • This could save you a lot of money

  • Total Cost of Ownership (TCO) calculator

    • Tell it what you spend today on-prem vs Azure

Azure Monitor

  • AAD has sign-in logs, audit logs.. subscriptions have activity logs.. resources have metrics.. this all gets stored in Azure Monitor automatically

  • You can create alerts along with action rules that can call an action group, which might send an sms/email or make a call to a logic app

SLAs

  • 99.9% availability means you can be down for up to 10 minutes per week

    • 99.95% would be 5 minutes

    • 99.99% would be 1 minute

Security

  • Identity/Access

  • Perimeter - protect against DDoS

  • Network - NSGs, everything should be blacklisted by default and then you give permissions where necessary

  • Data encryption

  • SQL injection

  • Azure Security Center is now called Microsoft Defender for Cloud

  • Azure Sentinel sits on top of Azure Analytics workspace and use machine learning to detect anomalies

    • It also has the capability to perform actions such as disabling an AD account or calling a logic app

https://www.youtube.com/watch?v=tQp1YkB2Tgs