iconic sections

discord and hyperbole

Azure Fundamentals

Posted on Oct 16, 2019

I have decided to purse some Azure certifications to improve my understanding of Microsoft Azure and demonstrate some expertise. I generally like to start these types of efforts at the beginning, which means revisiting the fundamentals to ensure I have a good foundation. So, for this particular journey that means starting with an Azure Fundamentals certification by taking the AZ-900 exam. To keep it interesting, I though I might take notes on the process here as I prepare for and take the exam.

Exam Prep

Link to Notes Link to Course Material
Module 1 Cloud Concepts - Principles of cloud computing
Module 2 Core Cloud Services - Introduction to Azure
Module 3 Core Cloud Services - Azure architecture and service guarantees
Module 4 Create an Azure account
Module 5 Core Cloud Services - Manage services with the Azure portal
Module 6 Core Cloud Services - Azure compute options
Module 7 Core Cloud Services - Azure data storage options
Module 8 Core Cloud Services - Azure networking options
Module 9 Security, responsibility and trust in Azure
Module 10 Apply and monitor infrastructure standards with Azure Policy
Module 11 Control and organize Azure resources with Azure Resource Manager
Module 12 Predict costs and optimize spending for Azure
Other Prep Skills measured

Test Day


My approach was to start by working through the free training Microsoft provides. I have taken some notes to summarize those modules below.

Module 1: Cloud Concepts - Principles of cloud computing

This module starts off by introducing the idea of cloud computing as a utility, similar to electricity. Cloud providers typically offer compute power, storage, networking, and analytics. Compute offerings include VMs, containers, or serverless options. Storage offerings can scale based on need. Cloud computing can be flexible and cost efficient. It is based on a pay-as-you-go model. Cloud resources can scale vertically (adding more CPU’s or memory) or horizontally (adding more servers). Cloud resources are elastic, so they can scale up and down as needed. Cloud computing is also current, reliable, and secure. Cloud providers can help compliance with regulations and standards (includes a list of compliance offerings). Cloud spending will be operational expenses (OpEx) rather than the capital expenses (CapEx) of traditional on-premise offerings. Cloud deployment models define where your resources are stored and how your customers interact with them. You can choose public cloud (everything in the cloud), private cloud (everything on premise), or hybrid (some things in the public cloud some in the private cloud) models. In addition to cloud deployment models, there are three types of cloud services: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS). IaaS is akin to renting hardware from a cloud provider to run your systems: but you are still responsible for managing the operating systems, etc. PaaS, on the other hand, is a complete environment into which you can deploy your applications. With SaaS you are basically using software in the cloud over the web on a subscriptions service. The module ends with a quick quiz (knowledge check) and a summary.

Time to Complete
Estimated 1 hr 2 min
Actual 46 min

Module 2: Core Cloud Services - Introduction to Azure

This module introduces Azure, Microsoft’s cloud computing platform. A quick video describes you to how Azure works at a high level, introducing the concept of virtualization with hypervisor, and the fundamental orchestrator and fabric controller architecture that powers Azure. A quick overview of Azure services lists the most commonly used: compute, networking, storage, mobile, databases, web, internet of things, big data, AI, and DevOps. You receive a brief description of each of these services before jumping in to create your own website. This will be done in an App Service, which is an http-based service that you can use to host web-based solutions without needing to manage infrastructure. Following along with the tutorial, we activate our development sandbox, login to the Azure Portal, and create a resource. We choose ‘WordPress’ to create a WordPress app and hit ‘Create’. The tutorial gives you some values to enter. Make sure to read all the steps first, because you need to create a new service plan. If you try to create the app using the pre-filled service plan, it will fail. Once everything is configured hit ‘Create’ and wait for your app to deploy. Once deployment is complete, go to your resource in the azure portal. The overview page will show you the URL for it. Follow that to see your WordPress site up and running. After launching our site, we are invited to revisit the app in the portal. Looking at the overview page, we can see some graphs about the usage of our site, number of requests, data-in and data-out, etc. If we wanted to scale-up our app service to handle more load, we can do this with the scale-up option found in the app service’s settings. (This would involve choosing a different pricing tier than we set in the original configuration.) Finally we learn a bit about Azure Cloud Shell, which is a browser based CLI for programmatically managing your Azure resources. The module runs us through some commands to list different azure resources associated with our subscription and eventually start and stop our app service from the command line. Again, the module ends with a quiz and summary.

Time to Complete
Estimated 36 min
Actual 59 min

Module 3: Core Cloud Services - Azure architecture and service guarantees

Azure is effectively a bunch of data centers located around the world. Rather than expose any one specific data center to users, though, they are grouped into regions, which are geographical areas that contain at least one data center. When you create a new resource, you assign it to a region, and Azure will intelligently manage the resource within that region to optimize service. In addition to regions, Azure has what are called geographies, which are groups of regions aligned to geopolitical or country borders. These are helpful for fault tolerance (if a region in a geography fails) and to meet regulatory and compliance requirements. The geographies are: Americas, Europe, Asia Pacific, and Middle East/Africa. Azure also has availability zones, which are independent data centers within regions that are connected by high-speed fiber optic cables. If one zone goes down, the others continue working. Note: not every region currently supports availability zones, but the list that does is expanding. For high availability, you can host your resources in one zone and replicate them to another for redundancy. In addition to availability zones withing regions, all regions also have region pairs, which are other regions at least 300 miles away which can also be used to replicate resources (in the case that a large enough problem could take down an entire region). Service-level Agreements (SLAs) are Microsoft’s commitment to providing customers with specific performance standards. They have three characteristics: performance targets, uptime and connectivity guarantees, and service credits (which represent credits the customer receives if the guaranteed levels of service are not met). SLAs combined across services are called composite SLAs. You can calculate composite SLAs based on the individual SLAs of the components and how they interact in your specific architecture. You can set your own expected performance targets for the applications you run in Azure by creating an Application SLA. As failures are inevitable, we should aim for resiliency instead of failure avoidance. Resiliency is the ability of a system to recover from failure and continue to operate. To design for resiliency we should start with a Failure Mode Analysis (FMA) to identify possible points of failure and identify how the application will respond to them. Availability is the amount of time a system is functioning and working. Maximizing availability in a system often incurs costs, both monetarily and by the addition of complexity to the system. You should consider how critical availability is to any of your systems to know how to manage these tradeoffs.

Time to Complete
Estimated 45 min
Actual 39 min

Module 4: Create an Azure account

The first step in working with Azure is to create an Azure account. Accounts themselves are free, and once you have one you can use a variety of services (both free and paid) to build, host, and deploy your applications. An Azure account is either an identity in Azure AD or a directory that Azure AD trusts. It holds name, email, contact preferences, and billing information. While an account will get you into Azure, it is an Azure subscription that will act as the logical container that is used to provision resources. The most popular types of subscriptions are: free (for a limited time), pay-as-you-go, Enterprise, and Student. To create an account, you will need a valid credit card (to verify identity). You have to ability to create multiple subscriptions under you Azure account. This feature would be useful for businesses, since access control and billing are specific to a subscription. Every subscription receives a bill on a monthly basis. Using cost analysis, you can analyze your bill and view all invoices for a subscription. You can also set spending limits per subscription per month. If you have multiple subscriptions, it is possible to transfer them between accounts using the Azure account center. Note: if you transfer a subscription to a new owner, all RBAC accounts will be deleted, not migrated, to the new owner. The new owner will need to accept the transfer after you initiate it. Your account is secured by Azure AD (which is not the same as Windows Active Directory). Azure AD is partitioned into tenants, which are isolated instances of an Azure AD service. When you sign-up for Azure, a tenant is created for you, but your identity can have access to multiple tenants. However, while a tenant can be associated with multiple subscriptions, every subscription can only be associated with one tenant (a one-to-many trust relationship between tenants and subscriptions). Every subscription includes free support in the form of: billing support, documentation, white papers, and community support forums. You can pay for additional support if you require it. The support tiers are: developer, standard, operational direct, and premier.

Time to Complete
Estimated 50 min
Actual 36 min

Module 5: Core Cloud Services - Manage services with the Azure portal

This module promises a tour of the Azure portal and common services one might use in it. There are many ways to manage Azure resources: Azure Portal, Azure Powershell and Azure CLI, Azure Cloud Shell, and the Azure Mobile App. The Azure Portal is the public web interface that provides the basic dashboard you can use to mange everything for your account. Azure Powershell is a powershell module you can install that includes Azure specific commands for managing your resources. Similarly, the Azure CLI is a command line interface you can install and use cross-platform that includes commands to manage your Azure instance. Azure Cloud Shell is an authenticated, interactive shell that you can access through your browser to manage Azure resources. It includes the previously mentioned CLI commands as well as some developer tools pre-installed. The Azure mobile app is similar to the Portal that you can use on your mobile devices or tablets. There are other SDKs available as well. The Azure portal is the primary GUI for accessing Azure resources. The default view includes a resource pane on the left hand side and a dashboard in the middle of the page. The portal used blades for navigation. These are slide out panels that contain the navigation options for each step in a process. One available blade is the Azure Marketplace where you can choose from a number of existing apps ready to run in your Azure instance. Some configuration options include notifications, Cloud Shell, settings, a Feedback blade, a Help blade, and Help & Support options. You can open a new support request with this last option (depending on the level of support associated with your subscription). You can also access Directory & Subscription options or Profile settings, which will help you navigate between subscriptions or directories, or switch accounts respectively. Finally, there is an Azure Advisor which is a free service that can recommend actions to improve availability, security, performance, and cost. Once again we have an exercise that requires us to activate the Azure sandbox. After that is completed we log in to the portal and tour the blades user interface by browsing the “Create a Resource” feature. We continue our tour by looking at the “All Services” option in the resources pane, the “Notifications” feature, and the “Cloud Shell” feature (which you can launch in your portal, or in an independent browser by following the link https://shell.azure.com/). The tour concludes by looking at the rest of the settings icon. After the tour we learn about dashboards. A dashboard is just a customized set of tiles you displayed in the portal UI. You can create multiple dashboards and even share them with teammates. Conveniently, dashboards are stored as JSON files so they are easy to save, share, and modify. You can see the dashboards by choosing the “Dashboard” option from the resource pane. Along the top of the dashboard are all of the controls to edit, share, or clone it (among other options). These allow you to create or modify dashboards with a simple WYSIWYG editor. To share a dashboard, click the “Share” link. This will lead you through a wizard where you save the dashboard to a resource group, after which you will have the option to “Manage Users” to assign permissions to the dashboard for others to use it. After learning about dashboards there is an exercise where we make our own custom dashboard in the sandbox. The module ends by talking about Azure preview features. There are two type of previews: Private (invite only for specific customers) and public (available for all customers). You can find preview features through the preview page or through the portal by searching for ‘Preview’ in the “Create a Resource” blade. You can also test out the preview version of the portal itself by going to the portal preview link. Once preview features are tested and approved they move to General Availability (GA).

Time to Complete
Estimated 1 hr 13 min
Actual 1 hr 20 min

Module 6: Core Cloud Services - Azure compute options

Azure lets you easily create compute resources and configure them to do the work you need while you only pay for what you actually use. This module looks at the compute resources that are available in Azure and how they fit different business needs. The four most common ways to configure compute resources in Azure is through virtual machines (VM), containers, app services, or serverless computing. VMs are software emulations of physical computers. Containers are a virtualization environment for running applications, similar to VMs but without including an OS for the apps running inside them. App services are Azures PaaS offering for running applications. Serverless computing is a cloud based execution environment to run code that abstracts away the underlying hosting environment entirely. Each of these options has tradeoffs and will be more or less appropriate given the specific business case. VMs are an IaaS offering which are a good fit when you want total control over the operating system, need to run custom software, or want to use custom hosting configurations. With this customization comes the cost of maintaining the VM and all of the software running on it. VMs can be useful to “lift and shift” existing workloads to the cloud. You can run single VMs or groups of VMs together to provide higher availability and performance. Azure provides availability sets, Virtual Machine Scale sets, and Azure batch to help. Availability sets are logical groupings of two or more VMs to keep your application available during planned or unplanned outages. VMs that are included in availability sets are included in different update domains so that if they need to restart as part of a patch or update, they will reboot at different times. Similarly, the VMs are included in different fault domains (physical sets of servers) so if the underlying hardware fails, they can run on different hardware. Availability sets themselves are free, you only pay for the VMs needed. Virtual machine scale sets are a way to set up and manage a group of identical VMs that are load balanced without needing to do the underlying work of managing the routing. They make it easy to scale up and down service. Azure Batch basically just makes it easy for you to run large-scale jobs. It will spin up a pool of VMs, start the job, manage failures, and queues, and scale down again when needed. Containers are good when you want to run multiple instances of an application on a single host. An orchestrator can start, stop, or scale instances as needed. Containers are lighter weight than VMs because they are just runtime environments designed run on top of a host VM. They are secured and isolated so you can run multiple apps on the same server. Azure supports Docker with two services: Azure Container Instances (ACI) and Azure Kubernetes Service (AKS). ACI is a PaaS offering that lets you directly upload your containers to run and scale them automatically. AKS is an orchestration service for containers with distributed architectures when you need to manage multiple containers. Containers are often used to separate portions of your applications into logical separations that you can maintain and update independently (think microservices). Azure App Service is a PaaS offering that allows you to host and scale web apps, apis, mobile backends, and background jobs. You pay for those compute resources by tier, which dictates the level of performance your service has. An App Service is the ideal choice for a web oriented application. WebJobs allow you to run a script in the same context as your app and are often used to run background tasks. Mobile Apps let you build backends for Android or IOS apps. They provide you with a cloud based SQL database, and help with things such as authentication, sending push notifications, or customizing backend logic. Finally, Azure offers serverless computing, which means Azure handles everything. You write your function and are only charged for the compute used to run it, when it runs. Serverless is built on three ideas. One, serverless abstracts everything. You only deploy your code, everything else is handled for you. Two, it is event driven. Instead of building an app you write a function with code and metadata about its triggers and bindings. Three, micro-billing, which means you are only charged for the time for which your function is running. Azure has two serverless implementations: Functions and Logic Apps. Functions are just blocks of code which run in response to an event. They can be stateless, or durable (meaning context is passed to the function to track prior activity). Logic Apps are similar, except they execute workflows, rather than code, to automate business scenarios. Every time they are triggered they execute the actions in a predefined workflow. Logic Apps are created with a visual designer in Azure or Visual Studio, but their workflows are saved as JSON. Unlike Functions, Logic Apps default to being stateful.

Time to Complete
Estimated 38 min
Actual 1 hr 2 min

Module 7: Core Cloud Services - Azure data storage options

This module starts by making the case for storing data in the cloud. Some of the benefits of using Azure to store your data include: automated backup and recovery, replication across the globe, support for data and analytics, encryption capabilities, storing multiple data types, data storage in virtual disks, and storage tiers based on usage and frequency of access. Azure storage is designed to hold structured, semi-structured, and unstructured data. Structured data is the relational data we are used to. It has a schema. Semi-structured data doesn’t have a schema per-se, but includes tags and keys that help organize it. Unstructured data can be basically anything. Azure has several storage offerings to handle different business cases depending on your needs. Azure SQL Database is a relational database that is a simply a cloud version of the latest stable version of the MSSQL server engine, so you can use the fully functional database without having to worry about infrastructure. There is an Azure Database Migration Service and Microsoft Data Migration Assistant that are designed to make migrating your existing SQL server databases to the cloud quick and easy. Azure Cosmos DB is a globally distributed database service that supports schema-less data. Azure Blob Storage is meant to store unstructured data. Applications work with blobs similarly to how they might interact with files on a filesystem. With blob storage you can also stream audio or video files directly to a users browser. The Data Lake is a large repository that can store structured and unstructured data so that you can perform analytics or produce reports. It combines the cost benefits and scalability of object storage with the performance and reliability of a big data file system. Azure File offers fully managed file shares in the cloud using SMB (server message block). Any on-premise or cloud VMs can mount the file share to access storage. This mfight be used to share files, store diagnostic data, or for application data sharing. Azure Queue Storage is a service to store large numbers of messages that can be accessed globally. It provides asynchronous message queueing and can be used to create a backlog of work and pass messages between Azure services, to distribute load among different web servers and manage bursts of traffic, or to build resilience against component failure when multiple users access the same data at the same time. As the name implies, Disk Storage provides virtual disks for Azure VMs, applications, and other services to access. They can be used to lift-and-shift on-premise applications that persist data to disk storage. Disks come with different characteristics and SLAs depending on your needs, including SDDs and HDDs. Azure has three storage tiers for blob object storage: hot (data that is accessed frequently), cool (data is accessed infrequently and stored for at least 30 days), and archive (data is accessed rarely and stored for at least 180 days). Azure uses encryption and replications to provide security and availability for your data. For storage service encryption, Azure provides Azure Storage Service Encryption (ASE - data are encrypted at rest) and Client-Side Encryption (data are encrypted by client libraries, stored in their encrypted state, and decrypted on retrieval). When you create a storage account a replication type is set up to ensure your data is durable and available. Azure provides geographic and regional replication to protect your data. Azure storage differs from on-premise storage across several dimensions. Cost effectiveness: on-premise storage requires hardware purchase and set up, where Azure storage is pay-as-you go and can scale flexibly. Reliability - Azure provides backup, load balancing, disaster recovery, and replication as services, where on-premise solutions require each of these to be explicitly planned and implemented. Storage Types - on-premise solutions requiring multiple storage types also require multiple servers and administrative softwares to be set up, where Azure provides a variety of products that are easy to integrate. Agility - requirements change, and Azure reduces the cost of that change versus on-premise approaches.

Time to Complete
Estimated 25 min
Actual 45 min

Module 8: Core Cloud Services - Azure networking options

Rounding out the overview of basic Azure services are the Azure networking options. Somewhat surprisingly, we start out with a quick overview of loosely coupled, and n-tier architectures. But this quickly transitions into a 3-tier reference architecture (web tier, app tier, and data tier) hosted VMs, which becomes the example used to illustrate Azure networking options. An Azure region is one or more data centers within a specific geographic location. A virtual network is a logically isolated network on Azure. It allows Azure resources to securely communicate with each other, the internet, and on-premise networks. Virtual networks are scoped to a single region, but networks from different regions can be connected together. They can be segmented into subnets. If you want to keep one of your tiers in your on-premise network, you can use a VPN gateway to provide a secure connection between it and the Azure Virtual Network. There is no need to manage hardware because Azure handles it for you, you simply configure your virtual networks and gateways through software. A network security group (NSG), allows or denies inbound network traffic to your Azure resources similar to a cloud-level firewall. With the basics of running your app out of the way, it is time to consider performance and reliability issues. Availability is how long your service is up and running (without interruption). Resiliency is the system’s ability to stay operational given adverse or abnormal conditions such as disasters, maintenance windows, spikes in traffic, or malicious attacks. Load balancers help to distribute traffic among systems in a pool, and they are one way to improve availability and resiliency. If you replicated your system across additional VMs, the load balancer would receive the user request and route it to the appropriate VM based and traffic and the the state of the system. The Azure Load Balancer is a service Azure provides to provide this capability for you Azure services without the need to set up another VM to host it or otherwise manage any hardware. You simply define the forwarding rules based on the source IP and port to a set of destination IP/ports. The Azure Load Balancer can handle incoming internet traffic, internal traffic across Azure services, port forwarding for specific traffic, and outbound connectivity for VMs in your virtual network, which makes it flexible. However, if all of your traffic is HTTP based, then the Azure Application Gateway might be a better choice, as it is a load balancer designed specifically for web applications. As it understand the structure of the HTTP message, it has some benefits over the general load balancer, such as: cookie affinity (for maintaining session), SSL termination (to manage SSL certificates and encryption), web application firewall (sophisticate firewall with monitoring and logging), URL rule-based routes (routing based on URL patters or source IP addresses), and rewrite HTTP headers (to add or remove information from inbound or outbound HTTP headers). A distributed set of server for delivering web content is called a content delivery network (CDN). It allows you to cache content at physical nodes to provide better performance for your sites. Azure DNS is a hosting service for DNS domains (Domain Name System (DNS maps names to IP addresses)). While the Azure Load Balancer helped achieve availability in a region, Azure Traffic Manager is the service that can help you across geographic regions. Latency is the time it takes for data to travel over a network (bandwidth is the amount of data that can fit on the connection). It makes sense that latency will increase with distance traveled. So, to reduce latency for global customers you might provide copies of your site in different regions. Traffic Manager is the service that will use the DNS server closest to the user to direct traffic to a globally distributed endpoint. It can also route traffic to an on-premise deployment.

Time to Complete
Estimated 28 min
Actual 25 min

Module 9: Security, responsibility and trust in Azure

Every system, architecture, and application needs to be designed with security in mind. Fortunately, moving into the cloud means security becomes a share concern with Azure. If you are using IaaS, setting up VMs on Azure, it will still be your responsibility to patch and secure the software and them and to set up a secure network. However, Azure still handles all of the physical security for the data center, so that is no longer your concern. If you are using PaaS, Azure will handle keeping the OS and foundational software secure. Everything will be updated regularly with the latest security patches. PaaS products can also be integrated with Azure AD for access control. If you are using SaaS products, all security concerns are effectively outsourced to the vendor of the product. For all cloud services you will own the data and identities, and be responsible for securing them. You will always have responsibility for data, endpoints, accounts, and access management. Defense in depth is a strategy to slow attacks that try to acquire unauthorized access to information. It is a layered approach where each layer provides protection so that if one is breached, a subsequent layer will be in place to prevent further exposure. The layers are physical security, identity & access, perimeter, network, compute, application, and finally data, which in most cases is what attackers are after. Data can be stored in a DB, on disk in a VM, on a SaaS application, or in cloud storage. It is the responsibility of those storing the data to properly secure it. For applications, make sure they are free of vulnerabilities, store their secrets securely, and are designed for security (security requirements should be non-negotiable). To secure compute, make sure access to virtual machines in secure, implement endpoint protection, and keep your systems patched. Make sure all controls are in place to minimize security issues. When approaching networking, make sure to limit communication between resources, default to denying access, restrict inbound internet access, and implement secure connections to on-premise networks. Similar to the concept of least privilege, limit network connectivity to only what is required. Make sure to implement DDos protection on the perimeter and to use firewalls to identify and alert against attacks. Some say identity is the new perimeter, so make sure to control access to infrastructure and to audit events and changes. Make sure identities are secure and grant access only to what is needed when needed. Finally, have physical security protecting your data centers. Fortunately Azure has a Security Center, a monitoring service that provides threat protection across all of your Azure services. It can provide security recommendations based on your resources, monitor security settings and apply security to new services as they come online, monitor and perform security assessments to identify vulnerabilities, protect and block malware from being installed on your VMs, identify potential attacks and investigate breach activity, and provide JIT access control for posts to reduce your attack surface. The free tier of Azure Security Center is limited to assessments and recommendations for Azure resources, while the Standard tier provides the full suite of services. You can use Security Center in a number of ways. It can help review the first indication of an event (detect), help obtain more information about suspicious activity (assess), and provide remediation steps to address the incident (diagnose). You can also use Security Center to reduce the changes of an event by configuring a security policy (to define the controls for your resources) and letting Security Center analyze the state of your resources against the policy (and provide recommended configurations of your resources to meet the policy). A proliferation of new devices has made network perimeters more porous, leading to the idea that identity has become the new perimeter. One can’t talk identity without reviewing authentication (AuthN - the process of establishing who you are) and authorization (AuthZ- what you are allowed to do). Azure manages authentication an authorization with Azure AD, its cloud-based identity service. Azure AD can be synched up to an on-premise AD to share credentials and centralize security rules and policies. Azure AD can handle authentication, SSO, application management, B2B identity services, and device management. SSO (single sign-on) means using the same identity to access multiple applications. With Azure AD, you can combine multiple data sources into a single security graph. MFA (multi-factor authentication) adds an additional level of security to your identity by requiring at least two elements to verify your identity (something you know (maybe a password), something you have (a device), something you are(biometrics)). This limits the impact of credential exposure. To avoid storing sensitive data (passwords) in insecure configs for applications, you can set up service principals, which are identities used by a service or application. (Principals are identities acting with certain roles or claims.) So, roles can be assigned to the service principal to manage access for the application. Azure makes this process easy for Azure services by introducing Managed Identities for them. Managed identities create accounts in your AAD so that the Azure infrastructure can authenticate the service and manage the account. At that point it will look like any other AAD account. Roles are sets of permissions that users are granted. Identities are mapped to roles directly or through group membership. Roles can be granted at the service level, but also inherited in the Azure Resource Manager hierarchy (Management group - subscription - resource group - resource). Finally we have Privileged Identity Management (PIM), which is an Azure AD service to provide oversight of role assignments, self-service, JIT role activation, and Azure resource access reviews. Data is often the most valuable assent or organization has, and encryption is the last defense of it in a layered security strategy. Encrypted data is unreadable and must be decrypted first. Decryption requires a secret key. Encryption can be symmetric or asymmetric. Symmetric encryption uses the same key to encrypt and decrypt the data. Asymmetric encryption uses a public key and private key pair. Both keys can encrypt the data, but only the private key can decrypt it. (HTTPS uses asymmetric encryption.) Data at rest is data that is stored. Encryption at rest means the stored data are encrypted and unreadable. Data in transit is data that is moving between one location and another. Encryption in transit means the data are encrypted as it is sent and decrypted when it is received (using the secret key). Encryption can occur at the application layer (i.e. HTTPS) or at the network layer (i.e. VPN). Azure has ways to help you protect your data with encryption. It can encrypt raw storage using Azure Storage Service Encryption. This encrypts data at rest and decrypts it on retrieval. Encryption, decryption, and key management are transparent to the applications using the services. Azure Disk Encryption will help you encrypt you VM disks using BitLocker (Windows) or dm-crypt (Linux). It integrates with Azure Key Vault to manage keys and secrets. Transparent data encryption (TDE) protects Azure SQL DB and Azure Data Warehouse. It is enabled by default and performs real-time encryption and decryption of the DB, backups, and log files at rest. It uses a symmetric database encryption key per logical SQL Server instance. Azure Key Vault has already been mentioned several times. All it is, is a cloud service to store application secrets so that you can keep them in a central location and control (and audit) access to them. It can help with secrets management, key management, certificate management, and to store secrets backed by hardware security modules (HSMs). Its benefits include centralized application secrets, securely stored secrets and keys, monitoring of access and use, simple administration of app secrets, and integration with Azure services. Transport Layer Security (TLS) is the basis for encryption in transit of website data. It uses certificates to encrypt and decrypt data. Certificates can be self-signed (good for developing and testing) or signed by a trusted certificate authority (good for prod). They can contain keys and have a thumbprint to identify them. Azure uses the thumbprint to decide which certificate a service should use. Azure uses Service certificates (used for cloud services) and Management certificates (used to authenticate with the management API). Service certificates are attached to a cloud service to enable secure communication with that service. These certificates can be managed separately from the services themselves, and even have different people managing them. This is possible because the logical name, store name, and location of the certification is kept in the service definition file, while the thumbprint is kept in the service configuration file. To update the certification you only need to update it and change the thumbprint value in the service config. Management certificates let you authenticate with the classic deployment model, but are not really related to cloud services. As mentioned, certificates can be stored in Azure Key Vault. Key Vault adds some value because it has features to let you create certificates (as well as import existing ones), store and manage certificates without needing to interact with private keys, create policies to manage the certificate life-cycle, get notified about certificate life-cycle events, and auto renew certificates. So, what does network security look like in Azure? It takes the same layered approach discussed up to this point. It starts on the perimeter by protecting against attacks from the internet. We should make sure we know all resources that are allowing inbound traffic and restricting access to only the ports and protocols necessary. (Azure security center can help identify this information). A firewall will grant or restrict access to a server based on the IP address of the request. Azure Firewall is a firewall as a service that provide inbound protection for non-HTTP/HTTPS protocols and outbound protection for all ports and protocols, and application-level protection for outbound HTTP/HTTPS. Azure Application Gateway is the load balancer for HTTP traffic we talked about in a previous module. It also includes a firewall to protect against common website vulnerabilities. Network virtual appliances (NVAs) are similar to hardware firewall appliances and are good for non-HTTP services. To stimy DDos attack, the Azure DDos Protection service monitors traffic at the network edge to detect attacks and block malicious traffic while still letting legitimate traffic flow into Azure. It includes a basic tier that is enabled by default with always-on traffic monitoring and mitigation of common attacks. But the Standard service tier provides additional capabilities that are tuned specifically to Azure Virtual Network resources. This tier can prevent Volumetric attacks, protocol attacks, and application layer attacks. Inside a virtual network (VNet) it is important to limit communication between resources to only what is required. Network Security Groups (NSGs) help to restrict this communication. They filter network traffic to and from resources in an Azure virtual network. They are fully customizable and can contain multiple rules to filter based on source and destination IP, port, and protocol. By restricting access to only service endpoints you can remove public internet access to your services. To integrate on-premise networks into you Azure Virtual Network you can use a Virtual private network (VPN) to provide secure communication. Azure ExpressRoute can provide a dedicated private connection between an on-premise network and Azure. Microsoft Azure Information Protection (AIP) helps you label documents and emails based on rules and conditions you can configure. With the content on your system classified you can gain insight into your business, detect risky behaviors, track access to documents, and prevent data leakage or misuse. Azure Advanced Treat Protection (Azure ATP) helps identify, detect, and investigate threats directed at your organization. It is a full solution that consists of the Azure ATP portal, Azure ATP sensors, and the Azure ATP cloud service. The portal can be used to monitor data from the ATP sensors so you can identify and respond to suspicious activity. The ATP sensors are installed on your domain controllers to monitor traffic. The ATP cloud service runs on Azure and is connected to Microsoft’s intelligent security graph.

Time to Complete
Estimated 1 hr 16 min
Actual 2 hr 1 min

Module 10: Apply and monitor infrastructure standards with Azure Policy

Good IT governance is important when you have many teams working in Azure, multiple subscriptions in your tenant, regulatory requirements to meet, and when you want to ensure standards are followed for all IT resources. Fortunately Azure has tools you can use to enforce your standards while still allowing multiple teams the power to create their own resources. The first thing you need is a policy to enforce your standards. Azure Policy is a service that allows you to create, assign, and manage policies to enforce rules for your resources. Once enacted, all existing and new resources are evaluated for compliance with the policy. Policies can even be integrated with Azure DevOps to apply policies that affect deployment of your applications. (Azure Policy differs from RBAC because it focuses on resource properties during deployment rather than user actions.) To create a policy you create a policy definition, assign the definition to a scope of resources, and view the policy evaluation results. The policy definition says what to evaluation and what action to take. Policy definitions are stored as JSON files and there are many predefined policies in the portal already. You can apply policies directly through the portal or using on of the Azure CLI tools. You can see the result of an applied policy in the portal or using one of the CLI tools. Once you have a policy definition, you need to assign it to a scope of resources (i.e. a subscription, resource group, etc.). This is called a policy assignment. Every policy has an effect, or what happens when its rule is matched. Azure Policy will evaluate all rules when a request to create or update a resource occurs. It will execute all effects before handing the process over to the Resource Manager to fulfill. You can view the results of policies in the portal. It is also possible to delete policy requirements you no longer need. Policies are useful, but as they proliferate they become difficult to manage. Azure introduces the concept of initiatives to help with this. An initiative definition is a set of policy definitions used to track your compliance against a larger/aggregate state. An initiative assignment is an initiative definition assigned to a specific scope. You can define initiatives in the portal or with a CLI tool. While access management in Azure occurs at the subscription level, some rules need to be consistent across subscriptions within an organization. This is where Azure Management groups come in. They are simply containers for managing access, policies, and compliance across multiple Azure subscriptions. All subscriptions within a management group inherit the conditions applied to that group. Management groups can also be effective for granting access to multiple subscriptions. If you apply RBAC at the Management Group level, all subscriptions under that group will inherit the permissions, which is an easier way to manage that than duplicating those permissions across subscriptions. Azure has another tool, Azure Blueprints, that allows cloud architects to define Azure resources that adhere to an organization’s standards, so that other teams can use them to build out their environments. Azure Blueprints is a declarative way to orchestrate the deployment of resource templates such as role assignments, policy assignments, Azure Resource Manager templates, and resource groups. You implement them by creating an Azure Blueprint, assigning the Blueprint, and tracking the Blueprint assignments. Azure Blueprints preserve teh relationship between what should have been deployed (the definition) and what was deployed (the assignment). This is the key difference between a Blueprint and a Resource Manager template. Blueprints are native Azure objects, whereas Resource Manager templates are just documents that don’t exist natively in Azure. So once Resource Manager templates are deployed, the relationship between the resources deployed and that template is gone. Blueprints maintain this, so are better for tracking and auditability. But Blueprints can contain Resource Manager templates, so there is no reason to choose one or the other. They both work well for different scenarios and also work well together. Policies can also be included in Blueprints to further validate that only expected changes were made to the environment to protect the intent of the Blueprint. To help you understand how Microsoft manages the underlying resources in Azure, it provides Microsoft Privacy Statement, Microsoft Trust Center, Service Trust Portal, and Compliance Manager. The Microsoft privacy statement explains what personal data Microsoft processes, how it processes it and for what purposes. The Microsoft Trust Center is a website with resources and information about how Microsoft supports security, privacy, compliance, and transparency. The Service Trust Portal (STP) is a companion to the Trust Center where Microsoft publishes audit reports and other relevant compliance related information. Finally, Compliance Manager is an interactive risk assessment dashboard within the Trust Portal. You can track your organizations compliance activities in it. I provides risk-assessment scores against various standards and lets you create your own. You can also upload documents and other artifacts to track your compliance. Once your resources are deployed you will want to monitor them for issues and to ensure performance. The two primary services for this are Azure Monitor and Azure Service Health. Azure Monitor collects, analyzes, and helps you act on telemetry data collected from your services. It helps you understand how they are performing and maybe why they are performing that way. It can use application monitoring data, guest os monitoring data, azure resource monitoring data, Azure subscription monitoring data, and Azure tenant monitoring data. Activity logs record when resources are are created or modified. Metrics tell you how resources are performing or what resources they are consuming. You can enable further diagnostics to enable guest level monitoring, performance counters, event logs, crash dumps, sinks, or agents. Azure Monitor includes some tools to help collect information on your applications: Application Insights (to monitor web apps), Azure Monitor for containers (to monitor container workloads for AKS), and Azure Monitor for VMs (to monitor the health of you Azure VMs at scale). Azure Monitor can automatically respond to certain conditions either with an alert or by autoscaling a resource. Azure Service Health is a suite of views designed to help you understand issues impacting Azure and how they might affect you. It includes Azure Status, a global view of the health of Azure, Service Health, a customizable dashboard that tracks the state of Azure in the regions where you use it, and Resource Health, which is specific to your resources that you are using. Azure Service Health can help you plan for and react to Azure service and performance surprises.

Time to Complete
Estimated 46 min
Actual 45 min

Module 11: Control and organize Azure resources with Azure Resource Manager

Resource groups are logical containers for resources deployed to Azure. A resource must belong to one (and only one) resource group. They exist to help you manage your Azure resources to keep them organized. When you delete a resource group, all resources within it are deleted as well. RBAC can also be applied to resource groups, which is a convenient way to manage access to the resources within it. You can create a resource group through the portal or with most other CLI and SDK tools. After you create a resource group, you can view it in the portal. The overview page will show you the resources currently in the resource group. The resource group blade contains links to information that might be useful, including a history of resources deployed to that group. Some best practices for using resource groups include coming up with a naming convention (name-type of resources in group-type of resource?) and an organizing principal (by type? by environment? by org unit?). You might consider using access groups, resource life cycle, or billing entities as other organizing principals for your resource groups to make management of your Azure instance easier. Tags are another way to help organize your resources. They are just name/value pairs of text that can be added to resources through the portal, the CLI, or the API. Tags can also be included in Azure Policies to automatically add them or ensure compliance to standards. Tags can help you retrieve related resources that might be located in different resource groups. You can use tags with alerts to know who might be affected by the issues. You can also use tags as inputs to scripts (example is a startup:6am tag that can be read by a script to startup the service at the specified time). You can use Azure Policy to enforce tag usage. RBAC provides find grained access to Azure resources. You can use it to allow different users different privileges to different resources. You can see who has access to a resource in the Portal on its blade under Access Control (IAM). RBAC uses an allow model, so when you are assigned to a role, you are allowed to perform a specific action. Best practices for RBAC include, granting least privileges necessary to perform a job, segregating duties within a team, and using Resource Locks to make sure critical resources are not modified or deleted accidentally. Resource locks are setting that can be applied to a resource to prevent it from being modified or deleted. A Delete resource lock will prevent a resource from being deleted but allow it to be modified. A Read-only resource lock will prevent modification (including deletion). Resource locks can be applied to subscriptions, resource groups, or individual resources, and are inherited. Resource locks must be removed before the action they block can be performed.

Time to Complete
Estimated 46 min
Actual 37 min

Module 12: Predict costs and optimize spending for Azure

The Azure Pricing Calculator is a free tool to estimate the cost of services. You can assemble different products and set expectations to arrive at an estimated cost for your architecture. While the pricing calculator helps you predict costs before deploying your services, Cost Management and Azure Advisor are the tools that will show you your actual costs and recommend potential savings. Azure Advisor provides recommendations on cost, in addition to other metrics such as availability, security, and performance. For cost, Azure Advisor can recommend that you eliminate unprovisioned ExpressRoute circuits, buy reserved instances of VMs, or right-size/shut down other VMs. Cost Management is effectively a dashboard where you can track your Azure expenses. You can use it to set budgets, schedule reports, and analyze your costs. Azure also include a Total Cost of Ownership calculator (TCO). With this calculator you can enter the details about your on-premise infrastructure and get a detailed report comparing the costs of your on-premise set-up to the costs of hosting a comparable set of resources in Azure. To help manage costs, you can take advantage of Azure credits which come along with being a Visual Studio subscriber. These give you a monthly allowance to try out new services in Azure without incurring any real cost. These have spending limits so you cannot incur costs over your credit level. If you have a predictable VM workload, you can save money by using a reserved instance. You pay for a one or three-year term up front and Azure decrements your usage from the reservation. (This can amount to a 70-80% cost savings vs. pay-as-you-go.) Costs are different across regions. If it doesn’t matter where you host a service, look for low-cost regions to host them in. (Note, you should always host resources that are billed for outgoing network bandwidth in the same region to reduce egress traffic between them.) Always make sure to look at Azure Cost Management and Azure Advisor for recommendations such as resizing VMs that are underutilized. Also, make sure to shut down resources (VMs) if there are times that they will not be utilized (i.e. for development VMs). You can automate many tasks like this. Delete any resources associated with completed POCs, etc. that are no longer needed.(Remember, you are paying for what you need, so only pay for what you need.) Finally, use PaaS or SaaS solutions instead of IaaS solutions when you can. They are often more cost effective. Continually evaluate the architecture of your applications to determine if there are efficiencies to be gained through PaaS services. Licensing is another area where you can potentially save money. First, most services can run on Linux or Windows. If the OS doesn’t matter to your application, choose the one that offers a cost savings. Use the Azure Hybrid Benefit to repurpose your investments in Windows Server licenses to Azure virtual machines. For SQL Server, the Azure Hybrid benefit will let you use your SQL Server licenses to pay a reduced rate for Azure SQL Databases. For non-prod work, use the Dev/Test options to get reduced rates on services. There is also a BYOL (Bring Your Own License) option for SQL server if you have unused licenses that you want to use to install a SQL server on an Azure VM. Speaking of SQL Server, you can always use SQL Server Developer Edition for free. You can find images of them in the Azure Marketplace. Finally, you can use constrained instances of SQL Server to reduce the number of CPUs and thus reduce licensing costs.

Time to Complete
Estimated 1 hr 14 min
Actual 57 min

Other prep

After completing that course, I went through the Skills Measured from the exam page. I made sure I knew something about each of those bullet points. Some of the bolded topics in the module summaries above are concepts that are noted in the Skills Measured bullet points. I reviewed my notes and some of the original course content to solidify my understanding of them. For the few topics listed on the exam page that were not included in the course (IoT, AI, etc.), I made sure to review the Microsoft documentation on those and make some notes. So, I went into the exam feeling fairly confident after having spent a few days focusing on learning. (It might be important to know that I had hands-on experience with Azure prior to deciding to get the certification.)

AZ-900 Exam Review

First thing first: I passed, which is good. Since I opted to go to a local testing center, I can’t comment on the process of taking the test from home (maybe for the next one). Also, the first thing you do when you take the test is to sign an NDA, so I can’t comment on the exam itself, only on my preparation. And I might say that I don’t feel I was prepared as I might have been. My approach had been to start with the Microsoft Azure fundamentals training. After that I reviewed the Skills Measured sections on the exam page. I revisited the sections from the training that aligned with those skills and then briefly went through the Microsoft documentation on the few bullet points that weren’t covered by the training. And that was good enough to pass. But, if I had to do it over again, I might have reversed that strategy. Maybe I would have started with the Skills Measured bullets and spent more time on each of them, and only after that run through the course (which I do heartily recommend as an introduction to Azure). Every question on my exam related to a bullet point from the skills measure section, and from my experience, each of those bullet points is equally important to know and understand. The AZ-900 exam was broad, so if you are planning to take it, don’t neglect anything, and good luck.