AZ 900 preparation slides for microsoft certification

About the
AZ-900 exam

AZ-400AZ-305
AZ-900
AZ-900 exam
Why AZ-900?
Foundational certification in Azure.
Starting point to all additional exams.
Future proof, great job opportunities.
AZ-104 AZ-204 AZ-500
Foundational
Associate
Expert

Why AZ-900?
Foundational certification in Azure.
https://learn.microsoft.com/en-us/certifications/exams/az-900
What is covered?
Exam topics are always kept up-to-date.
Questions
Demos
Not needed for the exam.
Passing Score
700 / 1000
Goal
Clear exam with ease.
Starting point to all additional exams.
Future proof, great job opportunities.
Understanding the main services in Azure.
What is the service about? What is the service used for?
Knowlegde-based exam. Not how to configure!
Help with memorizing.
Give you practical foundation.
After this course you will be able to achieve a score of 900+
Practical foundation to start working with Azure.
AZ-900 exam

How to
Master the exam

Free trial account
https://learn.microsoft.com/en-us/certifications/exams/az-900Exam overview
Questions
Not needed for the exam.
Understanding the main services in Azure.
Help with memorizing.
Give you practical foundation.
Master the exam
Exam duration
Seat time: 65min
What is the service about? What is the service used for?
Questions time: 45min
~ 45 –60 questions
Which Azure feature allows you to prevent resources
from being accidentally deleted?
❑Azure Policies
❑Azure Locks
❑Azure Tags
❑Azure Key Vault
If you want to quickly provision a group of identical
and load-balanced virtual machines but you don't
want to configure them individually which service
would you use?
❑Azure virtual machine scale set
❑Azure virtual machine elastic groups
❑Azure ExpressRoute
❑Azure VM network
✓
✓

Free trial account
https://learn.microsoft.com/en-us/certifications/exams/az-900Exam overview
Questions
Exam sandbox
Not needed for the exam.
Understanding the main services in Azure.
Help with memorizing.
Give you practical foundation.
Master the exam
Exam duration
Seat time: 65min
What is the service about? What is the service used for?
Exam time: 45min
~ 45 –60 questions
https://aka.ms/examdemo

Go through lessons
Take all quizzes
Practice Test
Book the exam
Step-by-step
Evaluate your knowledge and your weaknesses
~ 30-60 min / day
Practice and test your knowledge
Recipe to clear the exam
Summaries
At the end of each module
Go through the relevant lectures again to eliminate weaknesses
Remember the important points
Prepared, be confident!
incl. Demos
https://learn.microsoft.com/en-us/certifications/exams/az-900

What is
Cloud
Computing?

Azure Cloud Computing
oAzure is Cloud Computing Platform
oOffer SERVICES
oCompute services
oStorage services
oDatabase services
oSoftware services

Consumption-based pricing
Computing Storage
"Pay-as-you-go"
Server, infrastructure, staff etc.
Build own data center
Compute, storage, etc.
Rent service from cloud provider
AzureCloud
01 02

CapEx vs. OpEx
High upfront cost,
Own infrastructure, hardware cost
Capital Expenditure (CapEx)
Operational Expenditure (OpEx)
No upfront cost,
Product or services, that can be paid when used ("rented")
Expenses will be deducted over time
Expenses can be immediately deducted
01
02
Own data center
Azure "Pay-as-you-go"
Examples: Buying server
Examples: Azure Cloud,
Monthly payments (employees, electricity, software licenses)

Benefits of the cloud
Scalability
Ability to handle increased load
•Vertical scalability:
•Horizontal scalability:
Scale up
Scale out
More CPU per VM
More virtual machines
High Availability
Continuousfunctioning of services
•Access to services for a high percentage of time
•E.g. 99.9% availability = 0.1% downtime

Benefits of the cloud
Reliability
Ability of a system to recover
from failures and continue to
function
Predictability
Predictable cost and performance
•Global deployment and redundancy options
•Functioning even in catastrophic events
•Automatic shifting from one region to another
•Performance aims at positive customer experience
•Autoscaling, balancing traffic
•Transparant pricing, pricing calculator, trackable cost

Benefits of the cloud
Security
Architected to handle security
Governance
Support of Governance and Compliance
•Security can be fully managed
•Updates can be automatically applied
•Can handle Distributed denial of service (DDoS) attacks
•Templates ensure corporate standards and governmental regulations
•Updates can be applied when standards change

Benefits of the cloud
Manageability
Ability to manage cloud
resources
•Autoscaling options
•Pre-defined templates, no need for manual configuration
•Automatic alerts
•Monitoring of the health of resources and replacement if
necessary
Management of the cloud
•Azure Portal
•Command line interface
•APIs
•PowerShell
Management in the cloud

Own "cloud" / own data center
Public Cloud
Azure Cloud –Most common model
Private Cloud
Hybrid Cloud
Combination of both
Cloud models

Public Cloud
Cloud models
No CapEx –only OpEx –Consumption-based pricing
Infrastructure owned by cloud provider
Shared hardwarethat everyone can use
Cloud benefits apply
Azure Cloud –Most common model
Same configuration options available
No absolute control over infrastructre

Private Cloud
Private data center
Cloud models
Hardware is owned by the company
Complete responsibility for hardware, security etc.
In special situations (e.g. legal / compliance reasons)
Capital Expenditure (CapEx) applies
Control all aspects of hardware

Hybrid Cloud
Combination of Public & Private
Cloud models
Example: Hosting an app service with computing from cloud
Data is stored on an on-premise database
Combination of CapEx & OpEx
Can be expanded flexibly: From Public ⇒Hybrid
From Private ⇒Hybrid
Some (critical) resources are owned
others are used from the Public cloud

Platform-as-a-Service
IaaS
Infrastructure-as-a-Service
PaaS
SaaS
Software-as-a-Service
Cloud service types

IaaS
Infrastructure-as-a-Service
Cloud Services
Most flexible type of services
Renting of hardware / infrastructure (servers, storage, etc.)
Pay-as-you-go
Maximum control / special custom applications
Virtual machines
Storage
(BLOB storage, Azure Files)
Networking
(Virtual Networks, Load Balancers etc.)
Highest responsibility

Information and data
Devices
Accounts & identities
Identity & directory infrastructure
Applications
Network controls
Operating systems
Physical hosts
Physical network
Physical data center
Responsibility always with
CUSTOMER
Responsibilities
Responsibility
VARIES
Responsibility transfers to
CLOUD PROVIDER
CUSTOMER
CLOUD PROVIDER

PaaS
Platform-as-a-Service
Cloud Services
Environment to develop and deploy applications
No hardware configuration required
Pay-as-you-go
Reduce the administrational effort
Hardware fully managed by Azure
Azure SQL database Cosmos DB Azure App Service Container Service

Information and data
Devices
Accounts & identities
Identity & directory infrastructure
Applications
Network controls
Operating systems
Physical hosts
Physical network
Physical data center
Responsibility always with
CUSTOMER
Responsibilities
Responsibility
VARIES
Responsibility transfers to
CLOUD PROVIDER
CUSTOMER
CLOUD PROVIDER IaaS PaaS

SaaS
Software-as-a-Service
Cloud Services
Only the end application is used
Application is not developed –but only configured
Infrastructure remains invisible to customers
Pay-as-you-go model
Microsoft Office
365
Outlook Microsoft Planner
No installation needed

Information and data
Devices
Accounts & identities
Identity & directory infrastructure
Applications
Network controls
Operating systems
Physical hosts
Physical network
Physical data center
Responsibility always with
CUSTOMER
Responsibilities
Responsibility
VARIES
Responsibility transfers to
CLOUD PROVIDER
CUSTOMER
CLOUD PROVIDER IaaS PaaS SaaS

Azure Portal
Browser-based graphical user interface
Can be accessed with any device that has a browser

Consumption-based model
✓Pay only for what is used.
✓No upfront investment / infrastructure necessary.
⇒Pay per minute/day/execution/operation/volume
Storage
Functions
$0.01 per GB / per month
✓Resources that are no longer needed, no longer need to be paid.
Per execution

Summary
✓Cloud Computing: Services through the internet
✓Benefits of the cloud:
High Availability
Continuousfunctioning of services
Scalability
Ability to handle increased load
Reliability
Ability of a system to recover from
failures and continue to function
Predictability
Predictable cost and performance
Security
Architected to handle security
Governance
Support of Governance and Compliance
Manageability
Ability to manage cloud resources

Summary
✓CapEx: Upfront cost & own infrastructure
OpEx: No upfront cost & "pay-as-you-go"
✓Public Cloud: Shared hardware, services from the internet
Private Cloud: Own private data center, absolute control (can be connected to internet)
Hybrid Cloud: Combination of both, can come from public & private
✓IaaS: Most control, VMs, Storage, Networking like VNets
PaaS: Mostly managed, less administrational effort, Databases, App Service
SaaS: Use only the end product, no installation, only configuring, email
provider, Office 365 etc.

Summary
✓Consumption-based model: No upfront cost, pay only for what you use

Regions
Region consists of one or multiple data centers
within a specific radius
z.B. North Europe, West Europe, Germany West Central
Connected via low-latency network
Resources are deployed to regions

Availability Zones
Designed to achieve redundancy and fault tolerance
Most of the regions support availability zones but not all of them

Availability zones
Availability zone 1 Availability zone 2
connected
Independent
Region
Physically separate locations within each Azure region

Availability zones
✓At least 3 availability zones per availability zone supported region
✓Connected via a high-performance / low-latency network
✓Independent power, cooling, and networking infrastructure
✓Design to keep regions up in the event of a disaster
✓Creating redundancies

Availability zones
Physically separate locations within each Azure region

Availability zones
•Earthquakes,
•hurricanes,
•other natural or man-made disasters
How to manage risks toward entire regions?

Availability zones
A B
Geo-Replication

Availability zones
A B
Geo-Replication
Sequential updates (only in one region at a time)
High availability & Reliability

Region pairs
Factors involved in placement:
•Data residency
•Compliance
•Geo-political
•Internet latency
Region pairs:
•Far enough to be isolated: > 300 miles
•Placed in the same geography
⇒Region pairs: Recommend region for replication
Geography
•Discrete market
•Maintaining data residency and compliance
•Withstand region failure

Region pairs
(*) Certain regions are subject to access restrictions
Geography Region Pair A Region Pair B
Asia Pacific East Asia (Hong Kong) Asia Southeast (Singapore)
Australia Australia (East) Australia Southeast
Australia Australia, Central Australia, Central 2*
Brazil Brazil South USA South Central
Brazil Brazil, Southeast* Brazil South
Canada Canada, Central Canada East
China China North China East
China China North 2 China East 2
Europe Europe North (Ireland) West Europe (Netherlands)
France France, Central France South*
Germany West-Central Germany North Germany*
India India, Central India (South)
India India, West India (South)
Japan Japan East Japan, West
Korea Korea, Central Korea South
North America US East US West
North America US East 2 US Central
North America US North Central US South Central
North America US West 2 US West Central
Norway Norway, East Norway, West*
South Africa South Africa, North South Africa, West*
Switzerland Switzerland, North Switzerland, West*
UK UK, West UK, South
UAE UAE, North UAE, Central*
US Department of Defense US DoD, East* US DoD, Central*
US Government US Gov Arizona* US Gov Texas*
US Government US Gov Iowa* US Gov Virginia*
US Government US Gov Virginia* US Gov Texas*

Sovereign Regions
(*) Certain regions are subject to access restrictions
Geography Region Pair A Region Pair B
Asia Pacific East Asia (Hong Kong) Asia Southeast (Singapore)
Australia Australia (East) Australia Southeast
Australia Australia, Central Australia, Central 2*
Brazil Brazil South USA South Central
Brazil Brazil, Southeast* Brazil South
Canada Canada, Central Canada East
China China North China East
China China North 2 China East 2
Europe Europe North (Ireland) West Europe (Netherlands)
France France, Central France South*
Germany West-Central Germany North Germany*
India India, Central India (South)
India India, West India (South)
Japan Japan East Japan, West
Korea Korea, Central Korea South
North America US East US West
North America US East 2 US Central
North America US North Central US South Central
North America US West 2 US West Central
Norway Norway, East Norway, West*
South Africa South Africa, North South Africa, West*
Switzerland Switzerland, North Switzerland, West*
UK UK, West UK, South
UAE UAE, North UAE, Central*
US Department of Defense US DoD, East* US DoD, Central*
US Government US Gov Arizona* US Gov Texas*
US Government US Gov Iowa* US Gov Virginia*
US Government US Gov Virginia* US Gov Texas*

Sovereign Regions
Separate from Public Cloud:
•Isolated from the main instance of Azure
•US Government, US DoD Central
•China
•Very strict compliance or legal requirements

Sovereign Regions
US Government
•Isolated from the main instance of Azure
⇒https://portal.azure.us
•Meets the most complex compliance standards.
•Only US Government and its partners can use it
•From state to local government + partners
•Operated by screened U.S. personnel

Sovereign Regions
China
•More complex regulations to operate in China
•Data centers are not maintained directly by Microsoft
•Maintained by Microsoft partner: 21Vianet
•Separate instance: https://portal.azure.cn

Region pairs
Factors involved in placement:
•Data residency
•Compliance
•Geo-political
•Internet latency
Region pairs:
•Far enough to be isolated: > 300 miles
•Placed in the same geography
⇒Region pairs: Recommend region for replication
Geography
•Discrete market
•Maintaining data residency and compliance
•Withstand region failure

Resources &
Resource groups

Resources & Resource groups
Resouces
Resource group
•Instances of services that you create
•Example: Virtual machines or SQL databases
•Deployed to a region
•Container of resources
•Management layer: Configure/delete resources
•Permissions are inherited (Tags are not inherited)
•Region of resource can be different from the region of
resource groups
•Contains only metadata
US East
Germany West
Possible!
US West
US North

Resources & Resource groups
Resource group
•Container of resources
•Management layer: Configure/delete resources
•Region of resource can be different from the region of
resource groups
•Contains only metadata
•Cannot be nested
Not possible!

Resources & Resource groups
Resource group
•Container of resources
•Management layer: Configure/delete resources
•Region of resource can be different from the region of
resource groups
•Contains only metadata
•Cannot be nested
•Deleting group deletes
all contained resources
Deletes ALL resources
in the resource group

Subscription and
management groups

Subscription and management groups
Azure Account
Subscription 1
Subscription
Resource groups
Resources

Subscription and management groups
Azure Account
Subscription
Subscription 1 Subscription 2 Subscription 3
Resource groups
Resources

Subscription and management groups
Azure Account
Management groups
Subscriptions
Resource groups
Resources
IT Department HR Department
Subscription 1 Subscription 2
Finance Department

Subscription and management groups
Azure Account
Management groups
Subscriptions
Resource groups
Resources
IT Department HR Department
Subscription 1 Subscription 2
Finance Department
BI-TeamData Science

Subscription and management groups

Subscription and management groups
Resources
e.g. databases, virtual machines,
blob storage etc.
Management of resources
Resource groups
Account can have multiple
subscriptions
Subscriptions
This is where billing takes place
Cannot be merged
Environment: Test, Dev, Prod
Organizational structure
Billing purposes
Management groups
Management of subscriptions &
policiesCan be moved to other subscriptions
Can be nested

Summary
Region
Multiple data centers are connected within a radius via a dedicated regional network with low
latency/latency.
Area in the world, at least one region, define own market, data residency and compliance
boundaries preserved
Geography
Physical locations within a region consisting of at least one
data center with independent power, cooling, and networking.
Availability Zone
Region pairs
Two regions from the same geography

Summary
Resources
e.g. databases, virtual machines, blob storage etc.
Management of resources
Resource groups
Subscriptions
This is where billing takes place
Management groups
Governance (e.g. via policies) across subscriptions

Compute
Service

Compute Services
Provision of computing power on demand
oAzure VMs + Scale Sets + Availability Sets
oDevTest Labs
oAzure Virtual Desktop
oAzure Container Instances
oAzure App Service
oAzure Functions + Azure Logic Apps (or serverless computing)
Computing power to run applications/code in the cloud

Virtual Machines (VMs)
Software emulations of physical computers/servers
Virtual Processor
Virtual storage
Virtual memory
Operating system (Windows / Linux etc.)
IaaS
Infrastructure-as-a-Service
All software is fully customizable
Use case:
Missing physical server

Virtual Machines (VMs)
•Control of operating system
•No need of buying hardware
•Possibility to run custom applications
Benefits
⇒It is necessary to configure, update, and maintain all software that runs on the VM
✓Create and use images: Template with preconfigure OS and software

Load Balancers
Set of VMs
Traffic

Load Balancers
Load Balancer
Set of VMs
Traffic
✓Load balancer distributes traffic
✓Increase the availability and network performance

Virtual Machine Scale Sets
Deploy a group of identical VMs
All VMs in a VM scale set are configured the same
Facilitates the creation of large resources that rely on high
computing power
Manual or automatic adjustment to demand (scaling)

Virtual Machine Scale Sets
Load Balancer
Set of VMs
Traffic
✓Load balancer distributes traffic
✓Increase the availability and network performance

Virtual Machine Scale Sets
Load Balancer
Set of VMs
Traffic
✓We could add additional VMs manually

Virtual Machine Scale Sets
Load Balancer
Virtual Machine Scale Sets
Traffic
✓We could add additional VMs manually
VM Scale Sets: Set of auto-scaling, load balanced, identical VMs

Availability Sets
Availability sets group VMs inside a single data center
Connected cooling, powering, networking
Updates
Update Domain
Fault Domain
Availability Zone: Protection from entire data center failure
Availability sets protection against failure withindata center (rack wide failure)

Availability Sets
Availability sets group VMs inside a single data center
Update Domain
Fault Domain
Can be rebooted together
Independent cooling, powering, networking
Fault Domain 0 Fault Domain 1

Availability Sets
Availability sets group VMs inside a single data center
Update Domain
Fault Domain
Can be rebooted together
Independent cooling, powering, networking
Fault Domain 0 Fault Domain 1
UD 0
UD 1
UD 0
UD 1
VMs will be automatically distributed across FD and UD

Availability Sets
Guaranteed availability:
Update Domain
Fault Domain
Can be rebooted together
Independent cooling, powering, networking
2 or more VMs within Availability Sets: 99.95%
2 or more VMs across 2 Availability Zones: 99.99%
Fault Domain 0 Fault Domain 1
UD 0
UD 1
UD 0
UD 1

DevTest Labs

DevTest Labs
Pre-configured VMs with pre-installed development tools
DevTest Lab users can easily & quickly create VMs
Use-cases: Development, testing, training
Idea: Provide easy access to creating VMs for development and testing
Developers
Create VMs
To control cost: Need to follow defined policies

Azure Virtual Desktop
Centrilized security:
Operating system, apps and data are separated from
your local hardware
Risk of confidential data left on hardware is avoided
Independent from hardware
Access to application or to entire desktop
Cloud security features like MFA
Benefits

Azure Virtual
Desktop

Azure Virtual Desktop
We can access a cloud-hosted version of Windows from
•any location
•any device and
•any operating systems
Desktop and app virtualization –accessible through a browser
Multiple operating systems are possible:
•Windows 10,
•Windows 7,
•Windows 11,
•Windows Server
Allows multiple concurrent user-sessions

Azure Virtual Desktop
Centrilized security:
Operating system, apps and data are separated from
your local hardware
Risk of confidential data left on hardware is avoided
Independent from hardware
Access to application or to entire desktop
Cloud security features like MFA
Benefits

App Service

App Service
Programming in many languages e.g. .NET, .NET Core, Java, Ruby, Node.js, PHP or Python
Focus on development of application without worrying about the infrastructure
Managed security & autoscaling
Pay only for compute resources used, according to the selected app services plan (Free, different paid ones)
Continuous deployment, e.g. via Azure DevOps
Platform-as-a-service to deploy and host web applications

Container
Services

Container Services
Application development moving towards microservices
One complex application / service
Messaging
Registration
API Gateway
Database service
Loosely connected
microservices
Environment?
Enables rapid delivery
of complex applications
Python?
Java?
Operating system?
Libraries?
Environment
can be complex
to manage

Container Services
Containers package software for deployment
One complex application / service
Messaging
Registration
API Gateway
Database service
Microservice
is run within
container
Container
Java
Operating system
Libraries
Containers
package software
for deployment

Container Services
Containers package software for deployment
One complex application / service
Registration
Microservice
is run within
container
Container
Java
Operating system
Libraries
VMs are virtualization of physical hardware
Containers are virtualization of OS and software
✓Light weight
✓Can be started, scaled, ended very quickly
Container
A
✓We don't manage the OS (PaaS)

Container Services
Docker: One of the most popular container engines
Azure Container Instances (ACI):
oPaaS
oFast and simple way to upload & run containers
oNo need to manage a virtual machine

Azure
Kubernetes
Service

Azure Kubernetes Service
Azure Container Instances
Enables quick and easy deployment
and management of containers
without VMs
Azure Kubernetes Service
Manage and deploy containers at
scale
Open-source orchestration services
to deploy, manage, and scale
containers
Quickly create and scale containers
Container
A
Containers
at scale

Azure Virtual Desktop
We can access a cloud-hosted version of Windows from
•any location
•any device and
•any operating systems
Desktop and app virtualization –accessible through a browser
Multiple operating systems are possible:
•Windows 10,
•Windows 7,
•Windows 11,
•Windows Server
Allows multiple concurrent user-sessions

Azure Virtual Desktop
Centrilized security:
Operating system, apps and data are separated from
your local hardware
Risk of confidential data left on hardware is avoided
Independent from hardware
Access to application or to entire desktop
Cloud security features like MFA
Benefits

Summary

Summary
Virtual Machines
Virtualization of physical server/computer
Infrastructure-as-a-service
All software + OS is fully customizable
Fully responsible to maintain all software
VM Scale Sets
Set of auto-scaling, load balanced, identical VMs
Group VMs inside a single data center
into Fault & Update Domains
Availability Sets
Protection against failure within data center (rack wide failure)
Enables users to easily create pre-defined VMs for development and testing
DevTest Labs
Allows multiple concurrent user-sessions
Desktop and app virtualization –accessible through a browser
Azure Virtual Desktop
Operating system, apps and data are separated from your local hardware
Virtualization of different operating systems are possible

Summary
App Service
Platform-as-a-service
Deploy and host web applications
Managed security & autoscaling
Azure Container Instances
Containers package software for deployment
Orchestration serviceto deploy, manage, and scale
containers at scale
Azure Kubernetes Services
Platform-as-a-service
Fast and simple way to upload & run containers
No need to manage a virtual machine

Serverless

Serverless
On-Premise
IaaS
PaaS
Serverless
What hardware is needed?
How can physical security be ensured?
Investment and scalability?
Is everything up-to-date?
Managing operating system
Monitoring applications
What size is needed?
How can auto-scaling be defined?
Server is invisible to the users
They completely focus on the code

Serverless
Serverless
✓Server is invisible to the users
✓They completely focus on the code
✓Focus on event-driven code
✓Events or triggers
✓Microbilling
✓No worry about scaling

Azure Functions
Serverless compute: Azure manages server infrastructure and allocates resources
Scaling is automated
Azure Functions:
Executes code when triggered (platform, infrastructure irrelevant)
Simple functions in response to an event or a trigger
Pay only for time spent running the code
e.g. HTTP request
Can be stateful or stateless

Use cases
✓Run code when a file is uploaded or changed
✓Run scheduled small tasks
Build event-driven systems
Many programming languages available

Logic App

Azure Logic App
Data modified
Send an email
New file
Copy file
Design a business workflowin a graphical way.
Used to schedule, automate and orchestrate tasks, business process and workflows.
Trigger
Condition
Send an email as a response to a trigger.

Use cases
✓Run code when a file is uploaded or changed
✓Run scheduled small tasks
Build event-driven systems
Many programming languages available

Virtual
Networks

Virtual Networks
Infrastructure-as-a-Service
Enables resources to securely communicate with each other or with users over the Internet
Private network
Protecting data and
resources
10.0.0.1 10.0.0.2
10.0.0.0/16
Azure virtual network: Emulates a physical network in the cloud

Virtual Networks
Infrastructure-as-a-Service
Enables resources to securely communicate with each other or with users over the Internet
VNet
Protecting data and
resources
10.0.0.1 10.0.0.2
10.0.0.0/16
Azure virtual network: Emulates a physical network in the cloud

Virtual Networks
oNetwork traffic is isolated and segmented
oDefining a Private IP address space
oEvery resource gets an IP address
oCommunication with the Internet
oCommunication between Azure resources
oCommunication with local resources (cloud & on-premise coverage)

Virtual
Subnets

Virtual Subnets
VNetVNet
Resources have very different requirements
⇒Need for further partitioning
⇒Organize and group resources in Subnets

Virtual Subnets
Private Subnet
VNet
Organize and group resources in Subnets
Public Subnet
Public subnet CAN access Privat Subnet
✘
✔
✔
Public subnet CAN be reached from the public internet
Private subnet CANNOT be reached from the public internet

Virtual Networks
oNetwork traffic is isolated and segmented
oDefining a Private IP address space
oEvery resource gets an IP address
oCommunication with the Internet
oCommunication between Azure resources
oCommunication with local resources (cloud & on-premise coverage)

VPN Gateway

VPN Gateway
How to connect?
After migration: Hybrid cloud model
Data Center
VPN (Virtual private network): Use an encrypted tunnel to connect two or more networks
Azure Cloud (Vnet)
Cost-effective
Secure
over an untrusted network (public internet)

VPN Gateway
VPN tunnel
After migration: Hybrid cloud model
Data CenterAzure Cloud (Vnet)
Encrypted
Site-to-site connection: On-premise datacenter to Azure virtual network
VPN Gateway
VPN device or gateway

VPN Gateway
VPN tunnel
Azure Cloud (US West)Azure Cloud (US East)
Encrypted
Site-to-site connection: On-premise datacenter to Azure virtual network
Network-to-networkconnection: Virtual network to another virtual network
VPN Gateway
VPN device or gateway
What if we need more bandwidth?

Express Route

Express Route
VPN tunnel
Azure Cloud (US West)Azure Cloud (US East)
Encrypted
VPN Gateway
What if we need more bandwidth?

Express Route
High bandwidth
Azure Cloud (US West)Azure Cloud (US East)
Private connection
What if we need more bandwidth?
Doesn't go over public internet
More reliable
More secure
Not encrypted
ExpressRoute: Extend on-premises networks into the Microsoft cloud
over a private connection with the help of a connectivity provider.

Private & public
endpoints

Private & public endpoints
20.0.0.1
VNet
10.0.0.1 10.0.0.2
10.0.0.0/16Firewall
Public Endpoint
Allow range of IP addresses

Private & public endpoints
20.0.0.1
Firewall
VNet
10.0.0.1 10.0.0.2
10.0.0.0/16
Public Endpoint
Allow range of IP addresses

Private & public endpoints
VNet
PE1 10.0.0.2
10.0.0.0/16
PE1
20.0.0.1✘
Private Link
Azure Private Link: Enables private connection to Azure PaaS services (storage account, Cosmos DB etc.)
Private Endpoint: Uses private IP address from virtual network

Private & public endpoints
VNet
PE1 10.0.0.2
10.0.0.0/16
PE1
20.0.0.1✘
Private Link
Azure Private Link: Enables private connection to Azure PaaS services (storage account, Cosmos DB etc.)
Private Endpoint: Uses private IP address from virtual network
Private endpoint brings the service into your virtual network.

Virtual Networks
Infrastructure-as-a-Service
Enables resources to securely communicate with each other or with users over the Internet
VNet
Protecting data and
resources
10.0.0.1 10.0.0.2
10.0.0.0/16
Azure virtual network: Emulates a physical network in the cloud

Azure DNS

Azure DNS
https://microsoft.com
20.112.52.29
https://microsoft.com20.112.52.29
DNS: Domain Name System
What is DNS?

Azure DNS
https://data-science-academy.com
22.152.18.93
https://microsoft.com20.112.52.29
Azure DNS:
Provides name resolution by
using Microsoft infrastrucutre

Content delivery
network
(CND)

Content delivery network (CND)
Global network of servers that efficiently delivers web content to users
Long distances will result in higher latencies

Content delivery network (CND)
Global network of servers that efficiently delivers web content to users
Long distances will result in higher latencies
Physical nodes strategically placed around the globe
1. Request is sent –file available?
2. File will be delivered: High latency!
3. File will be cached close to user
4. Next request: Low latency!
Better performance and user-experience
Edge server
PoP (Point of Presence)

Summary

Summary
Virtual Networks
Emulates a physical network
Traffic is isolated and segmented
Secure communication of resources
Cloud resources + local resources
Virtual Subnet
Further segmentation
Public subnet CAN be reached from
the public internet
Public subnet CAN access Privat Subnet
Connects an Azure virtual network with an on-premise device or network
(Site-to-Site)
VPN Gateway
More bandwidth, more secure, and more reliable
ExpressRoute
Private subnet CANNOT be reached from the public internet
Use an encrypted tunnel to connect two or more networks over an untrusted
network (public internet)
Cost-effective solution
Extends on-premises networks into the Microsoft cloud.
Over a private connection with the help of a connectivity provider.

Summary
Private Endpoint
Uses private IP address from your virtual network
to bring PaaS services into your virtual network
Delivered via Azure Private Link
Private connection to Azure PaaS services
Azure DNS
Global network of servers that efficiently
delivers web content to users
Content delivery network (CND)
Provides domain name resolution
by using Microsoft infrastructure

Storage
account

Storage accounts
Cloud solution for storing data
Account in which have access to different types of storage services:
oBlobs (Containers)
oFile Shares (File shares)
oQueues (Queues)
oTables (Tables)
⇒There are other storage-related services (e.g. SQL databases)
⇒Most important data storage service
oAccess Tier (Hot, cool, archive)
oRedundancy options
oDisc Storage, File Sync, Data Transfer, Data Migration
oDatabase services

Redundancy
Options

Redundancy Options
Protect from planned and unplanned events
oAzure Storage always keeps multiple copies
oTrade-off:
Higher availability + durability vs. cost

Redundancy Options
Three copies within a single data center
Locally redundant storage (LRS)
Lowest cost & least durability
Protects data against server rack and drive failures
Disaster in the data center: Data may be lost
Three replications across three Availability Zones
Zone-redundant storage (ZRS)
Separate physical location
Protects data against disaster in a data center
Three copies using LRS in one region
Geo-redundant storage (GRS)
Paired region based on region pairs
Three copies using LRS in secondary region
Three replications across three Availability Zones (ZRS)
Geo-zone-redundant storage (GZRS)
Maximum durability, availability and consistency
Three copies using LRS in secondary region
Read-access per default only after failure (RA-)GRS
Protects from regional disaster
Read-access per default only after failure (RA-)GZRS

Blob Storage

Blob storage
(Binary Large OBject)
Solution to store massive amounts of unstructured data
⇒Can be any type of data: Images, documents, backups, videos
Containers are used to organize the files (like a folder)
Not hierarchical
Storage Account Container 1 File 1
File 2
File 3
Container 2 File 3

Access Tiers

Access Tiers
More expensive storage cost
Hot
Cheaper read/write operations
Good for frequently accesseddata
Example: Images on a website
Cheaper storage cost than "Hot"
Cool
Good for infrequently accessed data
More expensive read/write operations
Cheapest storage
Cannot be read directly (offline tier)
Most expensive access cost
Example: Short-term backup
Older datasets
Must be rehydrated to cool or hot
before it can be accessed
Archive
Low latency Higher latency
Example: Long-term backup
Data Archiving
Default at account level: Hot or Cool

Queue storage

Queue storage
storing large numbers of messages
Create a backlog of work (messages)
Queue
Message 1
Message 2
Message 3
Processed
Dequeued
Queue 2
Message A

Azure Files

Azure Files
Managed file shares in the cloud
Can be mounted by cloud or on-premise
Can be accessed via Server Message Block (SMB) protocol
orNetwork File System (NFS) protocol
Replace or supplement on-premises file servers:

File Sync

File Sync
Sync data from on-premises to Azure Files
On-premises
Windows File Server
Cloud
Azure Files
Sync data
On-premisesto Azure files
How:
oInstall File Sync agent on Windows file server
oAdd it to Azure File Sync Deployment
Use-cases:
oSync data across multiple sites/offices
oDisaster recovery

Azure Tables

Azure Tables
NoSQL (non-relational SQL) database solution
oVery inexpensive (NoSQL) database service
oKey/attribute data storage without schema
oDesigned for high volumes of data
Redundancy optionsHigh availability
Storage Account
Tables Tables Tables
Rows = Entities
Attribute
Key
Attribute
employee_id first_name last_name
1 Frank Miller
Attribute Attribute
Use cases:
oStore large amount of structured data
oNo need for complex joins
oAlternative to Cosmos DB

Disk storage

Disk storage
Storage for virtual machines
Virtual Machine Storage
OS disk
data disk
Stop VM
Still pay for
storage
Containers (Blob Storage)
used for disks
Managed Disks
Unmanaged Disks
Standard HDD
Standard SSD
Premium SSD
Premium SSD
Types

AzCopy

AzCopy
Command-line tool to copy data to and from storage accounts
oCan be downloaded to Windows or Linux
oUsed within Azure Cloud Shell
oUpload, download, sync or transfer files and blobs
Command Description
azcopy copyCopies source data to a destination location
azcopy listLists the entities in a given resource.
azcopy removeDelete blobs or files from an Azure storage account.
azcopy makeCreates a container or file share.
azcopy [command] [arguments] --[flag-name]=[flag-value]
azcopy copy'file-link-with-sas-key''container-link-with-sas-key'

Azure
Migrate

Azure Migrate
Centralized platform that provides guidance and planning for migrations
Pre-migration steps
Discover
Servers DatabasesVirtual Machines
Web Apps Data
AssessDependency analysis
Tools to help with migrations
Cost analysis

Data Box

Data Box
Device to transfer TBs of data in and out of Azure
Data upload can very time consuming
QuickInexpensiveReliableSecure
Data Box device
Regional carrier
Azure datacenter
Ordered via portal

Data Box
Use-cases
Order Receive device(s) Copy data Return Upload process
Workflow
oImport & export
o> 40 TB
oNo to limited network connectivity
❑One-time migration
❑Initial bulk transfer
❑Periodic incremental transfers

Azure
Marketplace

Azure Marketplace
oThird-party companies offer additional applications and services
oAccessed from within Azure portal
oEverything has been certified

Summary

Summary
Storage Account
Cloud solution for storing data
Redundancy options
Access Tier
Blob Storage
Solution to store massive amounts of unstructured data
Locally redundant storage (LRS)Zone-redundant storage (ZRS)
Geo-redundant storage (GRS)Geo-zone-redundant storage (GZRS)
Account that offeres different storage services
Hot Cool Archive
Any type of data: Images, documents, backups, videos
Queue Storage
Storing large numbers of messages
Sync data from on-premises to Azure Files
Managed file shares in the cloud
Can be mounted by cloud or on-premise
Replace or supplement on-premises file servers
Azure Files
Azure Sync
Inexpensive NoSQL database service
Azure Tables
Basic structured data

Summary
Disk storage
Storage for virtual machines
AzCopy
Azure Migrate
Centralized platform that with tools for planning migrations
Device to transfer TBs of data in and out of Azure
Data Box
Command-line tool to copy data to and from storage accounts
Still pay for storage
Containers (Blob Storage) used
Convenient tool to manage storage resources from Desktop
Storage Explorer
Trusted third-party companies offer additional applications
Azure Marketplace

Authentification
vs.
Authorization

Authentification vs. Authorization
Are you who you say you are?
Password
Proving that you are who you say
Authentification
Verification of identity
Multi-factor authentification
Granting permission to an
authenticated party
to do something
Authorization
Role-based access control (RBAC)
What is the authenticated
person allow to do?

Azure
Active Directory
(Azure AD)

Azure Active Directory (Azure AD)
Azure's identity and access management service
Helps employees to access resources and applications
Resources Identities
Manged by
Azure AD
Microsoft 365
Authentification
Authorization
Azure portal
Users
Credentials
Groups
Multi-factor
authentification
Single-sign-on (SSO)
Guest access
Managed service -"identity-as-a-service"

Azure Active Directory (Azure AD)
Azure's identity and access management service
On-premises
Active Directory Azure Active Directory
Cloud
Sync
Azure Active Directory Free
Azure Active Directory Premium P1
Azure Active Directory Premium P2
Additional features
99.9% availability SLA
Plans

Azure Active Directory (Azure AD)
Azure's identity and access management service
TenantAzure account Azure Active Directory Instance
= Organization Distinct identities & settings
Azure Active Directory Instance 2
Distinct identities & settings
Tenant 2

Single sign-on
(SSO)

Single sign-on (SSO)
Sign in with one set of credentials to multiple independent software systems
Software 1 Authentification
AuthentificationSoftware 2
Insecure + Inconvenient
Sign-in once
Software 1
Software 2
Azure AD
Easy to manage + more secure
(Single Sign-On)

Multi-Factor
Authentication

Multi-Factor Authentication
Additional method of authentication
nikolai.schuler@[...].com
Authentication
**********
Password can get found out!
Username:
Password:
2nd authentication factor
… Know
… Have
**********Password:
… Are
Something you …
One way:
Conditional Access

Passwordless
authentication

Passwordless authentication
ConvenientInconvenient
Insecure
Secure
Password
Multi-factor Passwordless

Passwordless authentication
More secure + more convenient
3 passwordless options
Windows Hello for Business
Microsoft authenticator app
Credentials connected to Windows device
App on user's phone
FIDO2 Security KeyOpen standard for passwordless
Face recognition, 4-digit PIN
Push notification + PIN or biometrics
Hardware devices like finger print etc.
All supported by Azure AD!

Guest access

Guest access
Inviting external users
Internal users
Members of the organisation
External users
Notmembers of the organisation
From different tenant or not Azure users at all

Guest access
Inviting external users
External users
Administrator invites
Azure AD Admin
Self-service sign up
Guest users
Azure AD
Get permission to
Resources
B2B collaboration

Conditional
access

Conditional access
Including intelligent signals in access control decisions
USER
LOCATION
DEVICE
Acess allowed
Block access
Limited access
MFA required
Password change
required
SIGNALS DECISION
BEHAVIOR

Conditional access
Including intelligent signals in access control decisions
oAdministrators always require MFA
Examples:
oUnusual location requires MFA
oUser outside of the company's network generally require MFA
oAccess from specific countries is not allowed at all

Role-based
access control
(RBAC)

Role-based access control (RBAC)
Access management to resources
User
Group
WHO?
Security principal
Service principal
Authorization: Configure access for users and groups to resources
Example: Allow one user to manage all SQL databases in a resource group.
Owner
Reader
WHAT?
Role
Data Operator for
Managed Disks
Custom
General
Resource
specific
Custom
Management group
Subscription
WHAT SCOPE?
Scope
Resource group
Resource

oOne user gets assigned the role Readerto an entire resource group.
Examples:
oOne user group gets assigned the role Storage account contributor tothree storage accounts.
Role-based access control (RBAC)
Access management to resources
Security principal Role Scope

Zero Trust

Zero Trust
Modern security principals
oVerify explicitly
oAssume breach
oUse least privilege access
Strategy: Follow the following security principals:
Zero Trust mindset:“assume breach, never trust, always verify”
Use all data points and every opportunity to authenticate and authorize
Just-In-Time (JIT) and Just-Enough-Access (JEA)
Limit access to what is just enough
End-to-end encryption, network segmentation, analytics, threat detection, continuous monitoring, updates

Defense in depth

Defense in depth
Multiple layers of security
Physical buildingPhysical Security
Identiy & Access
Perimeter
Network
Compute
Application
Data
Azure AD, SSO, MFA
DDos Protection,
Perimeter firewalls
Limit communication
between resources
Secure access to VMs
Secure application design
Secure data storage, encryption

Subscription and management groups
Azure Account
Management groups
Subscriptions
Resource groups
Resources
IT Department HR Department
Subscription 1 Subscription 2
Finance Department

Microsoft Defender
for Cloud

Microsoft Defender for Cloud
Security tools for cloud and on-premises
Security score that
continuously assesses your
security situation
Azure cloud Multicloud
Security
recommendations
On-premises
Security posture
Recommendations as step-
by-step actions on how to
improve your security posture
Alerts
Continous Assessment
Secure
Defend
Defends in real-time and
sends alerts
CSPM
Cloud Security Posture Management
CWPP
Cloud Workload Protection
Platform
Paid service
Free service
Two pillars of security

Microsoft Defender for Cloud
Security tools for cloud and on-premises
Security
recommendations
Security posture
Alerts
Continous Assessment
Secure
Defend
oSecurity score = assessment of vulnerabilities
oRegulatory compliance
oAsset inventory
Paid service
Free services
oSecurity recommendations
oJust-in-time VM access
oAdaptive application controls
oSecurity alerts
oDefends and detects
oIntelligent threat detection

Summary

Summary
Azure AD
Multi-factor Authentication
Additional method of authentication
Secure + convenient
One set of credentionals to sign in to multiple systems
Single sign-on
Passwordless
Proving that you are who you say
Authentication
Granting permission to an
authenticated party
to do something
Authorization
Free plan and premium plans (99.9% availability)
Manged service for identity and access management (Azure & O365)
Azure AD Connect: Sync on-premise Active directory & Azure AD
Authentication & Authorization
Distinct from other resources & services
Biometrics or trusted device
Sign in with one set of credentials to multiple independent software systems
Windows Hello for Business
Microsoft authenticator app
FIDO2 Security Key
Invite exernal users (guest users)

Summary
Conditional access
Including intelligent signals in access control decisions
Role-based access control (RBAC)
Defense in depth
Authorization: Configure access for users and groups to resources
E.g. Administrator needs to use MFA
Security principals: Assume breach, never trust, always verify!
Zero Trust
Allow one user to manage all SQL databases in a resource group
Microsoft Defender for cloud
Security tools for cloud (Azure + multicloud) and on-premises
Security score, security recommendations and alerts

Cost affecting
factors

Cost affecting factors
Usage metrics: How many operations, how much time,
how much storage?
Free resources Consumption model
Configuration
Resource type
How much CPU? OS type? Redundancy options?
Subscription type
Free trial Pay-as-you-go Enterprise Agreement
Usage
Region
Different prices depending on region
Reserved capacity
Discounts for 1-year, 3-year reservations for VMs
Bandwidth
Free: Inbound
Within same region
Not free: Outbound
Across different regions

Pricing
calculator

Pricing calculator
Calculate cost estimation for a planned project in Azure
Estimates
Configuration
Resource type
Subscription type
Usage
Region
Monthly or hourly
cost estimates
Cost estimation tool
Reserved capacity
Bandwidth

Total cost of
ownership
calculator

Total cost of ownership calculator (TCO)
Calculates the total cost of ownership & cost savings
On-premises
All costs combined
Saving potential
when migrating to the Azure cloud

Cost Management
and Billing
tool

Cost Management and Billing tool
Manage cost and usage of resources
oBreakdown of costs over time and by resources
oAnalyze costs
oSet budgets and alerts
oSee invoices
oManage billing options

Reducing costs

Reducing costs
Reserved instances
oDiscounts on reservation options
oPaying upfront for 1-year or 3-years
oBid for available capacity
oDeep discounts
oInstances can be interrupted without prior notice
Spot pricing
Hybrid Benefit
oIf you already have on-premises license
you can use it in the cloud
oChoose cost-effective OS
Delete unused resources
Deallocate VMs when not used
Migrate from IaaS to PaaS

AZ 900 preparation slides for microsoft certification

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

AZ 900 preparation slides for microsoft certification

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77