Azure Fundamentals:

AZ-900 Certification

Kevin Brown
MCT (Microsoft Certified Trainer) since 2000,
Azure Security Engineer,
Azure Solutions Architect,
Azure Administrator,
MCSE,
CISSP

Candidates

Who is this course for?

 Azure beginners

 Want to learn more about Azure

 Want to become Azure certified

Azure Fundamentals Outline: Module 1

Cloud Concepts
 Benefits of Cloud Services

 Types of Cloud models

 Types of Cloud Services

https://www.rtsnetworking.com/udemy 1
 Azure Fundamentals Outline: Module 2

Core Azure Services

 Core Azure Architectural components

 Core Azure Services and Products

 Azure Solutions

 Azure management tools

Azure Fundamentals Outline: Module 3

Security, Privacy, Compliance and Trust

 Securing network connectivity in Azure

 Core Azure Identity services

 Security tools and features

 Azure governance methodologies

 Monitoring and Reporting in Azure

 Privacy, Compliance and Data Protection standards in Azure

Azure Fundamentals Outline: Module 4

Azure Pricing and Support

 Azure subscriptions

 Planning and managing costs

 Support options available with Azure

 Azure Service Level Agreements (SLAs)

 Service lifecycle in Azure

https://www.rtsnetworking.com/udemy 2
 Module 1:
Cloud Concepts

Cloud Concepts: Learning Objectives

After completing these topics, you will be able to:

 Describe and understand cloud services and their benefits

 Understand key terms you will encounter when working with

cloud services

 Understand public, private, and hybrid cloud models

 Understand Infrastructure-as-a-Service (IaaS)

 Understand Platform-as-a-Service (PaaS)

 Understand Software-as-a-Service (SaaS)

Module 1:
Cloud Concepts
Lesson 1: Why Cloud
Services?

https://www.rtsnetworking.com/udemy 3
 Why use Cloud Services

Benefits of cloud services

High availability
 Scalability
 Elasticity
 Agility
 Fault tolerance
 Disaster recovery

Why use Cloud Services

Benefits of cloud services

High availability. The ability to keep services up and running for long
periods of time, with very little downtime, depending on the service in
question.

Scalability. The ability to add or remove additional resources.

Elasticity.The ability to automatically or dynamically increase or decrease

resources as needed. Elastic resources match the current needs, and
resources are added or removed automatically to meet future needs. A
distinction between scalability and elasticity is that elasticity is done
automatically

Why use Cloud Services

Benefits of cloud services

Agility. The ability to scale quickly. Cloud services can allocate and
deallocate resources quickly, on-demand.

Fault tolerance. The ability to remain up and running even in the event of
a component or service no longer functioning. Typically, redundancy is
built into cloud services architecture so if one component fails, a backup
component takes its place.

Disasterrecovery. The ability to recover from an event which has taken

down a cloud service.

https://www.rtsnetworking.com/udemy 4
 Why use Cloud Services

Benefits of cloud services

High availability
 Scalability
 Elasticity
 Agility
 Fault tolerance
 Disaster recovery

What is Cloud Computing?

 Rather than building and operating dedicated

infrastructure to provide IT services, Cloud Computing
services are shared resources offered and maintained by
a third party to multiple IT “tenants” or organizations

Benefits:
 Faster acquisition and deployment of computing
resources
 Lower capital equipment expenditures

Economies of scale

 The concept of economies of scale is the ability to do things

less expensively, but more efficiently when operating at a
larger scale in comparison to operating at a smaller scale
 Cloud providers such as Microsoft, Google, and Amazon Web
Services (AWS) are very large businesses, and thus can
leverage the benefits of economies of scale and then pass
those benefits on to their customers

https://www.rtsnetworking.com/udemy 5
 Capital Expense compared to Operational Expense

Capital Expenditure (CapEx) is the spending of money on physical

infrastructure up front, and then deducting that expense from your
tax bill over time. CapEx is an upfront cost which has a value that
reduces over time.

Operational Expenditure (OpEx) is spending money on services or

products and being billed for them immediately. You can deduct this
expense from your tax bill in the same year. There is no upfront cost,
you pay for a service or product as you use it.

Consumption based model

 Only pay for resources that are consumed

 Lower costs
 Additional resources on demand

Module 1:
Cloud Concepts
Lesson 2: Types of cloud
models

https://www.rtsnetworking.com/udemy 6
 Public Cloud

A public cloud is owned by a cloud services provider (also known

Public cloud
as a hosting provider). It provides resources and services to
multiple organizations and users who connect to the cloud service
via a secure network connection, typically over the internet

Private Cloud

A private cloud is owned and operated by the organization that

Public cloud
uses the resources from that cloud. They create a cloud
environment in their own datacenter and provide self-service
access to compute resources to users within their organization.
The organization remains the owner, entirely responsible for the
operation of the services they provide.

Hybrid Cloud

Public cloud
hybrid cloud combines both public and private clouds, allowing
you to run your applications in the most appropriate location

https://www.rtsnetworking.com/udemy 7
 Comparing Cloud Models
Public cloud:
 No CapEx. You don’t have to buy a new server to scale up.
 Agility. Applications can be made accessible quickly, and
deprovisioned whenever needed.
 Consumption-based model. Organizations pay only for what
they use, and operate under an OpEx model.

Private cloud:
 CapEx. Organization owns all infrastructure components
Control. Organizations have complete control over resources.
 Security. Organizations have complete control over security.

Hybrid cloud:
 Public cloud
Flexibility. The most flexible scenario. With a hybrid cloud
setup, an organization can determine whether to run their
applications in a private cloud or in a public cloud.
 Compliance. Organizations maintain the ability to comply with
strict security, compliance, or legal requirements as needed.

Module 1:
Cloud Concepts
Lesson 3: Types of cloud
services

IaaS (Infrastructure-as-a-Service)

PaaS

PaaS provides an environment

for building, testing, and
Hosted Development Operating systems Servers and deploying
Networkingsoftware Data center
applications/apps tools, database storage applications. The goal
firewalls/security of PaaS
physical
management, is to help create an application
plant/building
business analytics as quickly as possible without
having to focus on managing
the underlying infrastructure.
IaaS is the most basic category of cloud computing services. With
IaaS, you rent IT infrastructure servers, and virtual machines (VMs),
storage, networks, and operating systems from a cloud provider on
a pay-as-you-go basis. It's an instant computing infrastructure,
provisioned and managed over the internet.

https://www.rtsnetworking.com/udemy 8
 PaaS (Platform-as-a-Service)

PaaS

PaaS provides an environment

for building, testing, and
deploying software
Hosted Development Operating systems Servers and Networking The goal
applications. Data center
of PaaS
applications/apps tools, database storage isfirewalls/security physical
to help create an application
management, as quickly as possibleplant/building
without
business analytics having to focus on managing
the underlying infrastructure.
PaaS provides an environment for building, testing, and deploying
software applications. The goal of PaaS is to help create an
application as quickly as possible without having to focus on
managing the underlying infrastructure.

SaaS (Software-as-a-Service)

PaaS

PaaS provides an environment

for building, testing, and
Hosted Development Operating systems Servers and Networking
deploying software Data center
applications/apps tools, database storage firewalls/security
applications. physical
The goal of PaaS
management, plant/building
is to help create an application
business analytics as quickly as possible without
having to focus on managing
the underlying infrastructure.
SaaS is software that is centrally hosted and managed for the end
customer. It allows users to connect to and use cloud-based apps
over the internet. Common examples are email, calendars, and
office tools such as Microsoft Office 365.

Comparing cloud service types

IaaS: Flexibility. IaaS is the most flexible cloud service as you have control to
configure and manage the hardware running your application.

PaaS: Productivity. Users can focus on application development only, as all

platform management is handled by the cloud provider. Working with
distributed teams as services is easier, as the platform is accessed over the
internet and can be made globally available more easily.

SaaS: Pay-as-you-go pricing model. Users pay for the software they use on a
subscription model, typically monthly or yearly, regardless of how much they
use the software.

https://www.rtsnetworking.com/udemy 9
 Module 2:
Core Azure Services

Core Azure Services: Learning Objectives

After completing these topics, you will be able to:

 Understand and describe core Azure architectural

components

 Understand and describe core Azure services and products

 Understand and describe Azure solutions

 Understand and describe Azure management tools

Module 2:
Core Azure Services
Lesson 1: Core Azure
architectural components

https://www.rtsnetworking.com/udemy 10
 Azure Regions

Where in the world is Azure located?

 Azure is made up of datacenters located around the globe.
These datacenters are organized and made available to end
users by country/region

 Related to datacenters, a region is a geographical area on

the planet containing at least one, but potentially multiple
datacenters that are in close proximity and networked
together with a low-latency network

Azure Regions

http://azure.microsoft.com/regions

Special Azure regions:

 Azure also has some special regions that you might want to use when
building out your applications for compliance or legal purposes. Special
regions are:
 Azure Government
 Azure Germany
 Azure China 21Vianet

Region pairs:
 Each Azure region is paired with another region within the same
geography (such as US, Europe, or Asia). This approach allows for the
replication of resources (such as virtual machine (VM) storage) across a
geography that helps reduce the likelihood of interruptions due to events
such as natural disasters, power outages, or physical network outages
affecting both regions at once.

Azure Regions

Types of Azure regions

Special Azure regions:
 Azure also has some special regions that you might want to use when
building out your applications for compliance or legal purposes. Special
regions are:
 Azure Government
 Azure Germany
 Azure China 21Vianet

Region pairs:
 Each Azure region is paired with another region within the same
geography (such as US, Europe, or Asia). This approach allows for the
replication of resources (such as virtual machine (VM) storage) across a
geography that helps reduce the likelihood of interruptions due to events
such as natural disasters, power outages, or physical network outages
affecting both regions at once.

https://www.rtsnetworking.com/udemy 11
 Azure Region Pairs

Geographies

What are Azure geographies?

 A geography is a discrete market typically containing two or more
regions that preserves data residency and compliance boundaries

 Geographies allow customers with specific data-residency and

compliance needs to keep their data and applications close

 Geographies are broken up into Americas, Europe, Asia Pacific,

Middle East, and Africa

Geographies- Americas
United States Azure Government Canada Brazil

US DoD Central, US DoD

Central US, East US 2, East
East, US Gov Arizona, US
US, North Central US,
Gov Iowa, US Gov Texas, Canada Central, Canada
Regions South Central US, West US Brazil South
US Gov Virginia, US Sec East
2, West Central US, West
East1, US Sec West1
US

Data stored at rest in US.

Data residency / A sovereign offering -
Data stored at rest in US Stored at rest in Canada Data replication to US
Sovereignty2 physically isolated instance
of Microsoft Azure.

International, regional, and
Compliance3
industry-specific
Continuous commitment to
the highest breadth and
International, regional, and International, regional, and
depth of US government-
industry-specific industry-specific
specific or US DoD-specific
compliance standards

US government entities and

Available to All All All
their partners only

https://www.rtsnetworking.com/udemy 12
 Geographies- Europe

France United Kingdom Germany Switzerland Norway

North Europe,
Germany Central,
West Europe, Switzerland
France Central, UK South, UK Germany Norway West1,
Regions Germany North1, North1,
France South West Northeast Norway East1
Germany West Switzerland West1
Central1

A sovereign
offering – a
physically and
logically separate
Data residency / Stored at rest in Stored at rest in Stored at rest in Stored at rest in Stored at rest in
instance of Azure
Sovereignty2 Europe France UK Switzerland Norway
services with
dedicated network
between Germany
datacenters

Designed to meet
the strictest EU
International, International, International,
data protection,
Compliance3 regional, and regional, and regional, and Coming soon Coming soon
under control of
industry-specific industry-specific industry-specific
German Data
Trustee

France Central: All

France South:
Customers and
Reserved for
partners in
France Central
Available to All All EU/European Free All Coming soon
customers
Trade Association
requiring in-
(EFTA) only
country disaster
recovery

Geographies- Asia Pacific

Asia Pacific Australia China India Japan Korea

Australia Central, China East, China

East Asia, Southeast Australia Central 2, North, China East 2, Central India, South Japan East, Japan Korea Central, Korea
Regions
Asia Australia East, China North 2 India, West India West South
Australia Southeast

A sovereign offering
Data residency / Stored at rest in Asia Stored at rest in – independent, Stored at rest in Stored at rest in
Stored at rest in India
Sovereignty Pacific region Australia dedicated network Japan Korea
within China

International,
Local and industry- Local and industry- Local and industry-
Compliance regional, and China-specific Coming soon
specific specific specific
industry-specific

All
Australia Central and
Central 2 are
Organizations with a
designed for
Available to All business presence in All All All
Australian and New
China
Zealand government
organizations and
partners

Geographies- Middle East and Africa

Africa United Arab Emirates

South Africa North, South Africa West UAE Central, UAE North
Regions

Data residency / Sovereignty Stored at rest in South Africa Stored at rest in UAE

Compliance International, regional, and industry-specific International, regional, and industry-specific

South Africa North: All

UAE North: All
South Africa West: Reserved for South Africa
Available to UAE Central: Reserved for UAE North customers
North customers requiring in-country disaster
requiring in-country disaster recovery
recovery

https://www.rtsnetworking.com/udemy 13
 Azure Product Availability

What products are available in my region?

 Not all Azure services are available in all regions

 For the most current availability to go:

https://azure.microsoft.com/global-infrastructure/services/?products=all

Availability Zones

What are availability zones?

Availability zones are physically separate locations within an
Azure region.

 Each availability zone is made up of one or more datacenters

equipped with independent power, cooling, and networking.

 Availability Zones are set up to be an isolation boundary.

 If one availability zone goes down, the other continues

working.

Availability Zones

https://www.rtsnetworking.com/udemy 14
 Availability Sets
What are availability sets?
 Availability sets are a way to help ensure applications remain online if a high-
impact maintenance event is required, or a hardware failure occurs

Availability sets are made up of update domains and fault domains:

Update domains. When a maintenance event occurs (such as a performance
update or critical security patch applied), the update is sequenced through
update domains.
Faultdomains. Fault domains provide for the physical separation of a
workload across different hardware in the Datacenter.

Resource Groups

What are resource groups?

 A resource group is a unit of management for resources in Azure.

 Think of a resource group as a container that allows you to aggregate and

manage all the resources required for an application in a single manageable unit

 Metering and billing

 Policies
 Monitoring and alerts
 Quotas
 Access control

Azure Resource Manager

What is Azure Resource Manager?

 Azure Resource Manager is a management layer in which resource

groups and all the resources within it are created, configured, managed,
and deleted

 With Azure Resource Manager, you can:

 Deploy application resources

 Organize resources

 Control access and resources

https://www.rtsnetworking.com/udemy 15
 Module 2:
Core Azure Services
Lesson 2: Core Azure
services and products

Azure Compute Services

Azure compute is an on-demand computing service for running cloud-

based applications. It provides computing resources such as disks,
processors, memory, networking and operating systems.

• Resources are available on-demand and can

typically be made available in minutes or even
seconds. You pay only for the resources you use
and only for as long as you're using them

Azure compute services - virtual machine services

VMs are software emulations of physical computers.

Examples of Azure services for virtual machines include:

Azure VMs. Infrastructure as a service (IaaS) to create and use

VMs in the cloud

VM Scale sets are a group of identically configured VMs

App services. platform as a service (PaaS) offering to build,

deploy, and scale enterprise-grade web, mobile, and API apps

Functions. Creates infrastructure based on an event

https://www.rtsnetworking.com/udemy 16
 Azure compute services - container services

Containers are a virtualization environment. However, unlike virtual

Azure compute
machines, they do not services – container
include an operating servicesare meant
system. Containers
to be lightweight, and are designed to be created, scaled out, and stopped
dynamically. Examples of Azure services for containers include:

Azure Container Instances. A PaaS offering that allows you

to upload your containers, which it then will run for you

Azure Kubernetes Service. A container

orchestrator service for managing large numbers
of containers

Azure network services

Networking
Azure on Azure
network allows you to connect cloud
services
and on-premises infrastructure and services.

Azure Virtual Network. An IaaS service to create and use VMs in

the cloud
Azure Load Balancer. Designed for automatic scaling of identical
VMs
VPN Gateway. A PaaS offering to build, deploy, and scale
enterprise-grade web, mobile, and API apps

Azure Application Gateway. Manage web traffic to applications

Content Delivery Network. Delivers web content to users

Azure Storage Services- Data Categories

Structured data
 Data that adheres to a schema, so all of the data has the same fields
or properties. Structured data can be stored in a database table with
rows and columns. Financial data is an example.

Semi-structured data
 Data is less organized than structured data, and is not stored in a
relational format, meaning the fields do not neatly fit into tables,
rows, and columns. Referred to as non-relational or NoSQL data

Unstructured data
 Data that has no designated structure to it. This also means that
there are no restrictions on the kinds of data it can contain. For
example, a blob can hold a PDF document, a JPG image, a JSON file,
or video content

https://www.rtsnetworking.com/udemy 17
 Azure Storage Services- Azure Services

Azure storage isservices

Azure Storage a service–that
Azure
you services
can use to store files,
messages, tables, and other types of information.

Blob storage. No restrictions on the kinds of data

it can hold. Blobs are highly scalable
Disk storage. Provides disks for virtual machines,
applications, and other services
File storage. Azure Files offers fully-managed file
shares in the cloud

Archive storage. Storage facility for data that is rarely accessed

Azure Database Services

Azure database services are fully-managed PaaS database services that

free up valuable time you’d otherwise spend managing your database

Azure Cosmos DB. A globally-distributed database service that

enables you to elastically and independently scale throughput
and storage

Azure SQL Database. A relational database as a service (DaaS)

based on the latest stable version of the Microsoft SQL Server
database engine

Azure Database Migration. A fully-managed service designed

to enable seamless migrations from multiple database sources
to Azure data platforms with minimal downtime

Azure Marketplace

 Azure Marketplace is a service on Azure that helps connect

end users with Microsoft partners, independent software
vendors (ISVs), and start-ups that are offering their solutions
and services, which are optimized to run on Azure

 Azure Marketplace allows customers—mostly IT professionals

and cloud developers—to find, try, purchase, and provision
applications and services from hundreds of leading service
providers, all certified to run on Azure. At the time of writing,
this includes over 8,000 listings

https://www.rtsnetworking.com/udemy 18
 Module 2:
Core Azure Services
Lesson 3: Azure
solutions

Internet of Things

The internet allows any item that's online-capable to access

valuable information. This ability for devices to garner and
then relay information for data analysis is referred to as the
Internet of Things (IoT)

Microsoft IoT Central. A fully-managed global IoT software

as a service (SaaS) solution that makes it easy to connect,
monitor, and manage your IoT assets at scale

Azure IoT Hub. A managed service hosted in the cloud that

acts as a central message hub for bidirectional
communication between your IoT application and the
devices it manages

Big data and analytics

Big data refers to large volumes of data that become increasingly

hard to make sense of, or consequently make decisions about. Some
big data and analytic services in Azure include:

Azure SQL Data Warehouse: A cloud-based Enterprise Data

Warehouse that leverages massively parallel processing (mpp)
to run complex queries quickly across petabytes of data

Azure HDInsight: A fully-managed, open-source analytics

service for enterprises. It is a cloud service that makes it easier,
faster, and more cost-effective to process massive amounts of
data

Azure Data Lake Analytics: An on-demand analytics job service

that simplifies big data. Instead of deploying, configuring, and
tuning hardware, you write queries to transform your data and
extract valuable insights.

https://www.rtsnetworking.com/udemy 19
 Artificial Intelligence

Artificial Intelligence (AI), in the context of cloud computing, is based

around a broad range of services, the core of which is machine learning.
Machine learning is a data science technique that allows computers to use
existing data to forecast future behaviors, outcomes, and trends. Using
machine learning, computers learn without being explicitly programmed.
Some AI services in Azure include:

Azure Machine Learning service. Provides a cloud-based

environment used to develop, train, test, deploy, manage, and
track machine learning models

Azure Machine Learning Studio. A collaborative, drag-and-drop

visual workspace where you can build, test, and deploy machine
learning solutions without needing to write code

Serverless computing

Serverless computing is a cloud-hosted execution environment that runs

your code but abstracts the underlying hosting environment. Some serverless
services in Azure include:

Azure Functions. Concerned with the code running your service

and not the underlying platform or infrastructure. Creates
infrastructure based on an event.

Azure Logic Apps. A cloud service that helps you automate and
orchestrate tasks, business processes, and workflows when you
need to integrate apps, data, systems, and services across
enterprises or organizations.

Azure Event Grid. A fully-managed, intelligent event routing service

that uses a publish-subscribe model for uniform event
consumption.

DevOps

DevOps allows you to create, build, and release

applications. It brings together people, processes, and
technology

Azure DevOps Services: provides development collaboration

tools and cloud-based load testing

Azure DevTest Labs: Allows you to quickly create environments

in Azure while minimizing waste and controlling cost

https://www.rtsnetworking.com/udemy 20
 Module 2:
Core Azure Services
Lesson 4: Azure
Management solutions

Azure management tools

You can configure and manage Azure using a broad range of tools and
platforms. Some of these tools are:
 Azure Portal. A website accessed via a web browser at:
https://portal.azure.com or https://portal.azure.com/app/download

 Azure PowerShell. A command shell scripting language

 Azure Command-Line Interface (Azure CLI). A cross-platform

command-line scripting program for Windows, Linux, or MacOS
operating systems: https://aka.ms/InstallAzureCLIwindows

 Azure Cloud Shell. A browser-based scripting environment in your

portal.

Azure Advisor

Azure Advisor is a free service built into Azure that provides

recommendations on high availability, security, performance, and cost.
Advisor analyzes your deployed services and looks for ways to improve
your environment across those four areas

 With Azure Advisor, you can:

 Getproactive, actionable, and personalized best practices
recommendations
 Improve the performance, security, and high availability of
your resources as you identify opportunities to reduce
your overall Azure costs
 Get recommendations with proposed actions

https://www.rtsnetworking.com/udemy 21
 Module 3:
Security, Privacy,
Compliance and Trust

Security, Privacy, Compliance and Trust : iLearning

Objectives
After completing these topics, you will be able to:

 Understand how to secure network connectivity in Microsoft Azure

 Understand core Azure identity services

 Understand security tools and features

 Understand Azure governance methodologies

 Understand and describe monitoring and reporting in Azure

 Understand privacy, compliance, and data protection standards in Azure

Module 3:
Security, Privacy,
Compliance and Trust
Lesson 1: Securing network
connectivity in Azure

https://www.rtsnetworking.com/udemy 22
 Azure Firewall

 A firewall is a service that grants server access based on the

Azure Firewall
originating IP address of each request

 Azure Firewall is a managed, cloud-based network security service

that protects your Azure Virtual Network resources. It is a fully stateful
firewall as a service with built-in high availability and unrestricted
cloud scalability

 Azure Firewall includes many features, including:

Built-in high availability
Unrestricted cloud scalability
Inbound and outbound filtering rules
Azure Monitor logging

Azure DDoS Protection

Azure DDoS
Distributed protection
denial of service (DDoS) attacks attempt to
overwhelm and exhaust an application’s resources, making the
application slow or unresponsive to legitimate users

 Azure DDoS Protection service protects your Azure applications

by scrubbing traffic at the Azure network edge before it can
impact your service's availability

 Azure DDoS Protection provides the following service tiers:

 Basic. The Basic service tier is automatically enabled as part of
the Azure platform.
 Standard. The Standard service tier provides additional
mitigation capabilities that are tuned specifically to Microsoft
Azure Virtual Network resources.

Network Security Groups

 Network Security Groups (NSGs) allow you to filter network

traffic to and from Azure resources in an Azure virtual
network. An NSG can contain multiple inbound and outbound
security rules that enable you to filter traffic to and from
resources by source and destination IP address, port, and
protocol

 Network security rule properties:

 A network security group can contain as many rules as
you want within Azure subscription limits.

 When you create a network security group, Azure creates

a series of default rules to provide a baseline level of
security. You cannot remove the default rules, but you can
override them by creating new rules with higher
priorities.

https://www.rtsnetworking.com/udemy 23
 Azure Network Security Solutions

Choosing Azure
network
security
solutions

Defense in Depth
A layered approach that
provides multiple levels of
protection so that if an
attacker gets through one
layer there are further
protections in place. A
common security concept
that is applied to computing
systems is defense in depth,
which is essentially a layered
approach to providing
security.

Azure Network Security Layers

Choosing Azure network security solutions -

layers
 Perimeter layer. The network perimeter layer is about protecting
organizations from network-based attacks against your resources.
Some options are to use Azure DDoS Protection and Azure Firewall

 Networking layer. At this layer, the focus is on limiting network

connectivity across all your resources and only allowing what is
required. Some options are set to deny by default, restrict inbound
internet access, and limit outbound

Module 3: Security,
Privacy, Compliance
and Trust
Lesson 2: Core Azure
identity services

https://www.rtsnetworking.com/udemy 24
 Authentication and authorization

Two fundamental concepts that should be understood when

talking about identity and access are authentication and
authorization:

• Authentication is the process of establishing the identity of a

person or service looking to access a resource. Requires
credentials. It establishes if they are who they say they are

• Authorization is the process of establishing what level of

access an authenticated person has. It specifies what data
they're allowed to access and what they can do with it.

Azure Active Directory

 Azure Active Directory (Azure AD) is a Microsoft cloud-based

identity and access management service. Azure AD helps
employees of an organization sign in and access resources

 Azure AD provides services such as:

 Authentication
 Single sign-on (SSO)
 Application management

Azure Multi-Factor Authentication

 Azure Multi-Factor Authentication (MFA) provides additional

security for your identities by requiring two or more elements for
full authentication. These elements fall into three categories:

 Something you know: This could be a password or the answer to

a security question
 Something you possess: This might be a mobile app that receives
a notification, or a token-generating device
 Something you are: This is typically some sort of biometric
property, such as a fingerprint or face scan used on many mobile
devices.

https://www.rtsnetworking.com/udemy 25
 Module 3:
Security, Privacy,
Compliance and Trust
Lesson 3: Security tools
and features

Azure Security Center

 Azure Security Center is a monitoring service that provides threat

protection across all of your services both in Azure, and on-premises.
 Azure Security Center can:
 Provide security recommendations based on your
configurations, resources, and networks.
 Monitor security settings across on-premises and cloud
workloads, and automatically apply required security to new
services as they come online.

Azure Key Vault

 Azure Key Vault is a centralized cloud service that you use for
storing application secrets. Key Vault helps you control your
applications' secrets by keeping them in a single, central location
and providing secure access, permissions control, and access
logging.

 Key Vault usage scenarios:

 Secrets management
 Key management
 Certificate management
 Store secrets backed by hardware security modules (HSMs)

https://www.rtsnetworking.com/udemy 26
 Azure Information Protection

 Microsoft Azure Information Protection is a cloud-based

solution that helps organizations classify and help protect its
documents and emails by applying labels. Labels can be
applied:
 Automatically by administrators who define rules and
conditions
 Manually by users
 A combination of the two, where users are given
recommendations
 Usage scenario:
 A user saves a Microsoft Word document containing a
Social Security Number.
 A custom tooltip displays recommending that the file be
labelled Confidential\All Employees, which is the label that
the administrator has configured.
 This label classifies the document and protects it.

Azure Information Protection

Azure Advanced Threat Protection

 Azure Advanced Threat Protection (Azure ATP) is a cloud-based security

solution that identifies, detects, and helps you investigate advanced
threats, compromised identities, and malicious insider actions directed at
your organization

 Azure ATP consists of the following components:

 Azure ATP portal. Azure ATP has it's own portal through which you
monitor and respond to suspicious activity
 Azure ATP sensor: Azure ATP sensors are installed directly on your
domain controllers.
 Azure ATP cloud service. Azure ATP cloud service runs on Azure
infrastructure.

https://www.rtsnetworking.com/udemy 27
 Module 3:
Security, Privacy,
Compliance and Trust
Lesson 4: Azure
governance methodologies

Azure Policy

 Azure Policy is a service in Azure that you use to create, assign,

and, manage policies that enforce different rules and effects
over your resources, so those resources stay compliant with
your corporate standards and service-level agreements (SLAs).

 With Azure Policy, provides the following:

 Azure Policy uses policies and initiatives to run evaluations of

your resources and scans for those not compliant with the
policies you have created.

 Azure Policy comes with a number of built-in policy and

initiative definitions that you can use, under categories such
as Storage, Networking , Compute, Security Center, and
Monitoring.

Role-based access control

 Role-based access control (RBAC) provides fine-grained access

management for Azure resources:
 Grant users only the rights they need to perform their jobs

 Provided at no additional cost to all Azure subscribers

Examples of when you might use RBAC include when you want to:
 Allow one user to manage VMs in a subscription, and another user
to manage virtual networks, and another user manage storage.
 Allow a database administrator ( group to manage Microsoft SQL
Server databases in a subscription.
 Allow a user to manage all resources in a resource group, such as
VMs, websites, and subnets.

https://www.rtsnetworking.com/udemy 28
 Locks

Locks help you prevent accidental deletion or modification of your

Azure resources. You manage these locks from within the Azure
portal.

You may need to lock a subscription, resource group, or resource to

prevent other users in your organization from accidentally deleting
or modifying critical resources. You can set the lock level to:

CanNotDelete. Authorized users can still read and modify a resource,

but they can't delete the resource.

 ReadOnly. Authorized users can read a resource, but they can't

delete or update the resource. Applying this lock is similar to
restricting all authorized users to the permissions granted by the
Reader role.

Azure Advisor security assistance

 Azure Advisor provides security recommendation by integrating with Azure

Security Center
 View the security recommendations on the Security tab of the Advisor
dashboard
 Click deeper into the Security Center recommendations to improve and
enhance your security governance

Azure Blueprints

Azure Blueprints enable cloud architects to define a repeatable

set of Azure resources that implement and adhere to an
organization's standards, patterns, and requirements.

 Usage Scenarios:
Use Azure Blueprints’ artifacts and tools to help with auditing,
traceability, and compliance with your deployments

 Use with Azure DevOps scenarios, where blueprints are

associated with specific build artifacts and release pipelines,
and require more rigorous tracking.

https://www.rtsnetworking.com/udemy 29
 Module 3:
Security, Privacy,
Compliance and Trust
Lesson 5: Monitoring and
reporting in Azure

Azure Monitor

Azure Monitor increases availability and performance of

applications by collecting information from cloud and on-
premises environments

As soon as you create an Azure subscription and start adding

resources, Azure Monitor starts collecting data:
 Activity Logs. Record when resources are created or modified.
 Metrics tell. Show how the resource is performing and the
resources that it's consuming

Azure Service health

Azure Service Health is a suite of experiences that provide

guidance and support when issues with Azure services
occur, providing notifications to help you understand the
impact of issues, and provide updates as the issue is being
resolved.

 Azure Service Health is composed of:

 Azure Status. Provides a global view of the health state of
Azure services

 Service Health. A dashboard that tracks the state of Azure

services in the regions where you use them

 Azure Resource Health: Diagnose and obtain support when an

Azure service issue affects your resources.

https://www.rtsnetworking.com/udemy 30
 Module 3:
Security, Privacy,
Compliance and Trust
Lesson 6: Privacy, compliance
and data protection
standards in Azure

Compliance Terms and Requirements

Microsoft provides the most comprehensive set of compliance offerings

(including certifications and attestations) of any cloud service provider.
Some compliance offering include:

CJIS (Criminal Justice HIPAA (Health Insurance

Information Services )
CSA STAR Certification
General Data Protection
Regulation (GDPR)
Portability and Accountability
Act)
ISO/IEC 27018
National Institute of Standards
and Technology (NIST)

You can view all the Microsoft compliance offerings at

https://www.microsoft.com/trustcenter/compliance/complianceofferings

Microsoft privacy statement

 Explainswhat personal data Microsoft processes, how Microsoft

processes it, and for what purposes.
 Appliesto the interactions Microsoft has with users and Microsoft
products such as Microsoft services, websites, apps, software, servers,
and devices.
 Is intendedto provide openness and honesty about how Microsoft deals
with personal data in its products and services.

For more information, review the privacy statement at:

https://privacy.microsoft.com/privacystatement

https://www.rtsnetworking.com/udemy 31
 Trust Center

 TrustCenter is a website resource containing information and details

about how Microsoft implements and supports security, privacy,
compliance, and transparency in all our cloud products and services

 The Trust Center site provides:

 In-depth information about security, privacy, compliance offerings,
policies, features, and practices across Microsoft cloud products.
 Recommended resources in the form of a curated list of the most
applicable and widely-used resources for each topic.
 Information specific to key organizational roles, including business
managers, tenant admins or data security teams, risk assessment
and privacy officers, and legal compliance teams.

https://www.microsoft.com/trust-center/product-overview

Service Trust Portal

The Service Trust Portal (STP) is the Microsoft public site for publishing
audit reports and other compliance-related information related to
Microsoft’s cloud services.
It also hosts the Compliance Manager service.
 STP is a companion feature to the Trust Center, and allows you to:
 Access audit reports across Microsoft cloud services on a single
page.
 Access compliance guides to help you understand how can you
use Microsoft cloud service features to manage compliance with
various regulations.
 Access trust documents to help you understand how Microsoft
cloud services help protect your data.

https://servicetrust.microsoft.com/

Compliance Manager

 Compliance Manager is a workflow-based risk assessment in

the Trust Portal that enables you to track, assign, and verify
your organization's regulatory compliance activities

 It provide details related to Microsoft professional services and

Microsoft cloud services such as Microsoft Office 365,
Microsoft Dynamics 365, and Azure.

https://www.rtsnetworking.com/udemy 32
 Azure

 Azure Government services

 Azure Germany services
 Azure China 21Vianet

Module 4:
Azure Pricing and Support

Azure Pricing and Support: Learning Objectives

After completing these topics, you will be able to:

 Understand and describe Microsoft Azure subscriptions and management

groups

 Recognize ways to plan and manage Azure costs

 Identify Azure support options

 Understand and describe features of Azure service-level agreements (SLAs)

 Understand and describe the service lifecycle in Azure

https://www.rtsnetworking.com/udemy 33
 Module 4:
Azure Pricing and Support
Lesson 1: Azure
Subscriptions

Azure subscriptions

 An Azure subscription provides you with authenticated and authorized

access to Azure products and services, and allows you to provision
resources on Azure. It is a logical unit of Azure services that links to an
Azure account.

 Azure offers free and paid subscription options to suit different needs
and requirements. An account can have one subscription or multiple
subscriptions that have different billing models, and to which you
apply different access-management policies.

Subscription uses and options

You can use Azure subscriptions to define boundaries around Azure

products, services, and resources

 Two types of subscription boundaries that you can use:

 Billing boundary. This subscription type determines how an Azure
account is billed for using Azure. You can create multiple
subscriptions for different types of billing requirements
 Access control boundary. Azure will apply access management
policies at the subscription level, and you can create separate
subscriptions to reflect different organizational structures

Several other subscription types to choose from include the Free

account, and Pay-As-You-Go

https://www.rtsnetworking.com/udemy 34
 Management groups

Management groups
 Azure Management
groups are containers for
managing access, policies,
and compliance across
multiple Azure
subscriptions

 Management groups
allow you to order your
Azure resources
hierarchically into
collections, which provide
a further level of
classification beyond
subscriptions.

Module 4:
Azure Pricing and Support
Lesson 2: Planning and
managing costs

Purchasing Azure products and services

Three main customer types on which the available purchasing

options for Azure products and services are contingent are:
 Enterprise. Enterprise customers sign an Enterprise Agreement with
Azure that commits them to spending a negotiated amount on
Azure services, which they typically pay annually.
 Web direct. Web direct customers sign up for Azure through the
Azure website: https://azure.microsoft.com
 Cloud solution providers (CSPs) typically are Microsoft partner
companies that a customer hires to build solutions on top of Azure.
Payment and billing for Azure usage occurs through the customer's
CSP.

https://www.rtsnetworking.com/udemy 35
 Azure free account

 An Azure free account

provides subscribers with
a $200 Azure credit that
they can use for paid
Azure products during a
30-day trial period.

 Once you use that $200

credit or reach your trial's
end, Azure suspends your
account unless you sign
up for a paid account.

Factors affecting costs

Three factors affect costs:

 Resource Type: Costs are resource-specific, so the usage that a

meter tracks and the number of meters associated with a
resource depend on the resource type

 Services: Azure usage rates and billing periods can differ

between Enterprise, Web Direct, and CSP customers

 Location: The Azure infrastructure is globally distributed, and

usage costs might vary between locations that offer particular
Azure products, services, and resources.

Zones for Billing Purposes

Bandwidth refers to data moving in and out of Azure datacenters.

Some inbound data transfers are free, such as data going into Azure
datacenters. For outbound data transfers—such as data going out of
Azure datacenters—pricing is based on Zones.

 A zone is a geographical grouping

of Azure Regions for billing
purposes. Zones are:
 Zone 1. Includes West US, East
US, West Europe, and others.
 Zone 2 . Includes Australia
Central, Japan West, Central
India, and others.
 Zone 3. Includes Brazil South only.
 DE Zone 1. Includes Germany
Central and Germany Northeast.

https://www.rtsnetworking.com/udemy 36
 Pricing calculator

 Azure provides a detailed estimate of the costs associated with your

selections and configurations

Total cost of ownership (TCO) calculator

 A toolthat you use to estimate cost savings you can realize by

migrating to Azure
 A report compares the costs of on-premises infrastructures with the
costs of using Azure products and services to host infrastructure in the
cloud

Azure Cost Management

 Reporting. Generate reports

Azure Cost Management is an
Azure product that provides a set
of tools for monitoring, allocating,
and optimizing Azure costs
 Budgets. Monitor resource
demand trends, consumption
rates, and cost patterns
 Alerting.Get alerts based on your
cost and usage budgets
 Recommendations. Receive
recommendations to eliminate
idle resources and to optimize
provisioned Azure resources

https://www.rtsnetworking.com/udemy 37
 Module 4:
Azure Pricing and Support
Lesson 3: Support options
available with Azure

Support plan options

Every Azure subscription includes:

 Free access to billing and subscription support
 Azure products and services documentation
 Online self-help documentation
 Community support forums

 Paid Azure support plans:

 Developer. For Azure use in trial and nonproduction
environments
 Standard. Appropriate for Azure use in production environments
 Professional Direct. Appropriate for organizations with business-
critical dependence on Azure
 Premier. Ideal for organizations with substantial dependence on
Microsoft products, including Azure.

Opening a support ticket

 Request assistance for an Azure issue from the Azure support

team
 To
open a support ticket:
 Sign in to the Azure portal.
 Choose Help + support from the left navigation menu.
 From the Help + Support blade, select New support
request, fill in the required details, and then click Create to
submit the support request.
 Youcan also Monitor a support request in the Help + support
blade

https://www.rtsnetworking.com/udemy 38
 Alternative support channels

Other support channels available outside of the Azure official support

plans:
 Azure community support:
https://azure.microsoft.com/support/community/

 stack overflow:
https://stackoverflow.com/questions/tagged/azure/

 Azure Feedback Forums at Microsoft Azure general feedback:

https://feedback.azure.com/forums/34192--general-feedback

 Twitter. Tweet @AzureSupport to get answers and support

Knowledge Center

 Azure Knowledge Center is a searchable database that contains

Knowledge Center
support questions and answers from a community of Azure experts,
developers, customers, and users

 Browse through all answers within the Azure Knowledge Center by

entering keyword search terms into the text-entry field and further
refine your search results by selecting products or tags from the
dropdown lists

 See Azure Knowledge Center for more information:

https://azure.microsoft.com/resources/knowledge-center/

Module 4:
Azure Pricing and Support
Lesson 4: Azure SLAs

https://www.rtsnetworking.com/udemy 39
 Service Level Agreements (SLAs)

SLAs document the specific terms that define Azure

performance standards
 SLAs define Microsoft’s commitment
to an Azure service or product
 Individual SLAsare available for each
Azure product and service
 SLAs also define what happens if a
service or product fails to meet the
designated availability commitments
 For more information about specific Azure SLAs for individual products
and services, see Service Level Agreements:
https://azure.microsoft.com/support/legal/sla/summary/

Composite SLAs

At the time of this writing, an App Service web app that writes to
Azure SQL Database has the following SLAs:
 App Service Web Apps is 99.95 percent

 SQL Database is 99.99 percent

 Question: What is the maximum

downtime you would expect for
this application?
 Answer: The composite SLA for this
application is 99.95% × 99.99% =
99.94%.
 This is lower than the individual SLAs. However, you can construct SLAs
to improve overall application SLA.

SLA Downtime

Improving application
The following table SLAscumulative
lists the potential
SLA levels over different durations - continued
downtime for various

SLA Downtime per Downtime per Downtime per

week month year
99% 1.68 hours 7.2 hours 3.65 days
99.9% 10.1 minutes 43.2 minutes 8.76 hours
99.95% 5 minutes 21.6 minutes 4.38 hours
99.99% 1.01 minutes 4.32 minutes 52.56 minutes
99.999% 6 seconds 25.9 seconds 5.26 minutes

https://www.rtsnetworking.com/udemy 40
 Module 4:
Azure Pricing and Support
Lesson 5: Service lifecycle in
Azure

Public and private preview features

 Microsoft offer previews of Azure features for evaluation purposes

 With Azure previews, you can test beta and other pre-release features,
products, services, software, and regions

 Two types of Azure preview modes:

 Private Preview. An Azure feature is available to certain Azure
customers for evaluation purposes
 Public Preview. An Azure feature is available to all Azure customers
for evaluation purposes

How to access preview features

Review a list of preview features that are available for evaluation at Azure
Preview Features
https://azure.microsoft.com/updates/?status=inpreview

Portal Preview features:

Typical portal preview features provide performance, navigation, and
accessibility improvements to the Azure portal interface

https://www.rtsnetworking.com/udemy 41
 Monitoring feature updates

 Information about the latest updates to Azure products, services,

and features, and product roadmaps, and announcements are
available at Azure updates: https://azure.microsoft.com/updates/

 Azure updates page:

 View details about all Azure updates
 See which updates are in general availability, preview, or
development
 Subscribe to Azure update notifications

https://www.rtsnetworking.com/udemy 42