AZ-900: Microsoft Azure

Fundamentals
Exam Syllabus

Describe Cloud Concepts (25-

30%)

Describe Azure Architecture and

Services (35-40%)

Describe Azure Management

and Governance (30-35%)
What is Cloud
Computing?
• Cloud Computing is the on-demand delivery of IT
resources over the internet.
• In essence, instead of buying physical infrastructure
like servers, computers, managing a physical area to
protect & manage this infrastructure – we simply rent
& access these.
• Examples of IT Resources are Virtual Machines,
Databases, Networking. The cloud services go one
step beyond and include Internet of Things (IoT),
Machine Learning (ML) and Artificial Intelligence (AI).
• Using someone else’s infrastructure. They
have the headache of managing and
maintaining it.

• The power to deploy databases, virtual

machines, networks etc. at the click of a
button!

• You lower your upfront costs, the

infrastructure runs more efficiently, and
can scale as per your need!
Shared
Responsibility
Model
 The Shared Responsibility Model
outlines the division of security tasks
and obligations between cloud service
providers (CSPs) and cloud users.

As more organizations move their

operations to the cloud, this model
clarifies who is responsible for securing
various layers of the infrastructure,
ensuring a secure environment for data
and applications.
 Cloud Service Provider (CSP)

• Physical Security: Cloud providers are

responsible for securing their data centers,
including physical access controls, surveillance,
and environmental protections.

• Network Infrastructure: The underlying

network infrastructure, such as routers and
switches, is managed and secured by the CSP.

• Host Infrastructure: The security of the

physical servers and the virtualization layer is
maintained by the provider.

• Foundational Services: Core services like

computing, storage, and database
management systems are managed and
secured by the CSP.
 Consumer

Data Security: Users are responsible for

securing their own data, including encryption,
access controls, and data classification.

Application Security: Security measures for

applications, including vulnerability
management and secure coding practices, are
the user's responsibility.

Identity and Access Management (IAM): Users

must manage user access, permissions, and
authentication to their applications and
services.

Configuration Management: Users are

responsible for configuring their applications
and services securely to prevent
misconfigurations.
Importance of the Model:

Clarity: It eliminates Security: It ensures a holistic

confusion by clearly defining security approach, with both
the security responsibilities parties contributing to overall
of both the CSP and the user. security.

Collaboration: Collaboration Customization: Users can

between the CSP and users is implement security measures
essential to create a secure tailored to their specific
environment. needs and applications.
Cloud Service
Types
 3 Types

Infrastructure as a Service Platform as a Service Software as a

(IaaS) (PaaS) Service(SaaS)
 SaaS PaaS IaaS On-Prem
Information and Data
Responsibility
Always with the Devices (Mobile & PC)
Customer
Accounts & Identities

Identity and Directory Infrastructure

Applications
Responsibility
varies with type
Network Controls

Operating System

Physical Hosts

Responsibility lies
Physical Network
with CSP

Physical Datacenter
 The most flexible category that gives you
maximum control over your cloud
resources.

Infrastructure
The CSP is responsible for physical security,
as a Service connectivity to internet, and the hardware

(IaaS)
only – you control everything else.

Use Cases: Development and Testing

Environments. Hosting Web Applications,
Lift & Shift migrations
 A middle ground between IaaS and SaaS.

The responsibility is split between you and the cloud

provider.

Platform as a
Service (PaaS)
Allows you to focus more on development & go-live
than patching & maintaining infrastructure.

Think of it like a company PC – Hardware, OS, patches,

databases maintained by IT support.

Excellent for development frameworks and analytics!

 The most complete cloud service model, but least
flexibility.

However, it’s the easiest to deploy, use, and go-live :

Software as a almost like a ready-made app.

Service (SaaS) Most of the responsibility is placed on the CSP, you

are responsible for the data, applications & who has
access.

Examples - Email, Microsoft 365, iCloud.

Define Cloud Models

Private Cloud

• A private cloud is a cloud infrastructure operated solely for a single organization. It can be hosted internally
or by a third-party provider. This model provides enhanced control and security for organizations that
require a dedicated environment.
• However, it has fewer of the benefits of a public cloud deployment and higher costs associated to it as well.

1 2 3 4 5

Isolation: Resources are
Key Characteristics of dedicated to a single
Private Cloud: organization, ensuring
better control over security
and compliance.
Customization:
Organizations can tailor the
environment to meet
specific needs and
requirements.
Data Security: Private Examples: Organizations like
clouds are ideal for sensitive financial institutions or
data and industries with government agencies that
strict compliance require stringent control
regulations. over their data might opt for
a private cloud.
Define Cloud Models
Public Cloud

• The public cloud is a cloud computing model where cloud services are owned and provided by third-party vendors over the internet. These
services are available to anyone who wants to use them, making it a versatile and cost-effective option for various purposes. With a public
cloud, all hardware, software, and other supporting infrastructure are owned and managed by the cloud provider.
• In a public cloud, you share the same hardware, storage, and network devices with other organizations or cloud “tenants,” and you access
services and manage your account using a web browser.
• General public availability is a key difference between public and private clouds.

1 2 3 4 5

Shared Infrastructure: Cost Efficiency: Users only Scalability: Public cloud Examples: Amazon Web
Key Characteristics of Resources are shared among pay for the resources they services can easily scale up Services (AWS), Microsoft
multiple users and consume, eliminating the or down to accommodate Azure, Google Cloud
Public Cloud: organizations, optimizing need for upfront changing demands. Platform (GCP) etc.
utilization and cost. investments.
Define Cloud Models
Hybrid Cloud

• A hybrid cloud is a combination of public and private clouds, designed to allow data and applications to be shared between them. This
model offers flexibility and allows organizations to balance the benefits of both public and private environments.
• For many organizations, a hybrid cloud approach is a MUST due to regulatory and data sovereignty requirements, tackling low latency issues
etc.
• Simply put – A private deployment can be used for the extra layer of security, and it can be coupled with a public deployment to handle
surge in traffic / computing needs!

1 2 3 4 5

Flexibility: Organizations
Key Characteristics of can choose where to host
different workloads based
Hybrid Cloud: on factors like security,
performance, and cost.
Scalability: Hybrid clouds
can handle spikes in demand
by utilizing resources from
both environments.
Data Mobility: Data can be
moved seamlessly between
private and public clouds as
needed.
Examples: Healthcare
organizations might use a
private cloud for patient
data storage while using a
public cloud for non-
sensitive applications.
Define Cloud Models
Multi Cloud

• Slowly becoming more and more popular!

• In this kind of a deployment, you utilize multiple Public Cloud Providers.
• Possible reasons are that your organization doesn’t solely want to reply on one CSP only.
• Your organization started with one CSP but now wants to fully migrate to another CSP.
• Your organization wants to utilize services / tools from different CSP’s.
Azure Arc
 Azure Arc

• Organizations are expanding their digital footprint

across on-premises, multi-cloud, and edge
environments - managing and securing resources
can become complex.
• Azure Arc is a powerful solution, empowering
organizations to streamline operations and
governance across a variety of environments.
• Azure Arc allows us to extend Azure's management
and governance features to resources beyond
Azure's boundaries.
• It enables organizations to manage, secure, and
monitor resources spread across on-premises,
multi-cloud, and edge environments, all through
the familiar Azure interface.
Azure Arc: Benefits

1. Resource Management: Azure Arc allows you to connect and manage resources,
including virtual machines, Kubernetes clusters, and databases, as if they were native
Azure resources.

2. Unified Management: With a consistent Azure interface, you can apply policies,
configure settings, and monitor the health of resources across various environments.

3. Governance and Compliance: Azure Policy and Azure Security Center can be used to
enforce consistent governance and compliance policies across hybrid environments.

4. Automation and DevOps: Azure Arc integrates with Azure Resource Manager
templates, enabling consistent resource provisioning and management using
infrastructure as code.

5. Data Services: You can deploy Azure data services like Azure SQL Database and Azure
Database for PostgreSQL Hyperscale to your preferred environment.
Consumption
Based Model
CapEx (Capital
Expenditure)

• Usually, a one-time up-front

expense to purchase assets. Eg -
Physical hardware, software
licenses, and infrastructure to
establish an on-premises data
center.

• These expenditures are

characterized by their long-term
nature and are considered
traditional IT investments.
14

12
CapEx (Capital
Expenditure) : Problem
10

• How much hardware should we

8 buy? (We cannot predict the
future).
6

• If less hardware -> the application

4 fails.
• If more hardware -> Unnecessary
2 spending.
• You may not have enough capital
0 available upfront!
H1 H2 H3 H4 H5 H6 H7
Traffic
 OpEx (Operational
Expenditure)

• Operating Expenditures (OpEx) in

cloud computing refer to ongoing
operational expenses incurred while
using cloud services.

• Expenses are more flexible and

aligned with the pay-as-you-go
model of the cloud.

• Cloud Computing falls under OpEx –

you don’t pay for any physical
hardware, rent - only consumption!
OpEx (Operational
Expenditure) Benefits

ü 0 upfront costs!

ü No need to manage costly and complex

hardware.

ü Pay more when you need more resources.

ü Pay less when you need less resources.

ü No need to estimate your future needs –

scale as per demand and pay accordingly.
14

12
OpEx
10

• How much hardware should we

8 buy? (We cannot predict the
future). Now we don’t need to
6
worry.

4 • If less hardware -> we use less

resources & pay less.
2 • If more hardware -> we use more
resources & pay more.
0 • Evens out / averages over the long
H1 H2 H3 H4 H5 H6 H7 term & way more cost effective!
Traffic
Advantages of
Cloud
Computing
Scalability

The ability to adjust Peak traffic? Add more Less traffic? Shut down
resources to meet resources. resources.
demand.

You ONLY pay for what

you use.
Vertical Scaling / Scaling Up
• Vertical scaling involves increasing the capacity of existing nodes/machines.
• For example, if a server requires more processing power, vertical scaling involves
upgrading the CPUs. Similarly, storage space can also be dynamically upgraded or
degraded!
Horizontal Scaling / Scaling Out

• When you need to handle new demands, horizontal scaling (also known as scaling
out) involves adding more nodes or machines to your infrastructure.
• For instance, if an application hosted on a server is struggling to manage traffic
due to a lack of capacity or capability, the solution may be to add another server.
Reliability
The ability of a system/service to
recover from failure & continue its
operation.

Azure has a decentralized design –

no single point of failure + data
centers worldwide!

Ability to quickly switch to a

different data center or region.
 Predictability

Focused on performance or cost. A well architected solution helps us move SLA’s and cost management play a big
forward with confidence and avoid role.
surprises.
Predictability: Performance

Focuses on the resources Imp. concepts – Auto-Scaling, Auto scaling helps add / Load Balancing allows to
needed to deliver a seamless Load Balancing, High remove resources based on distribute load evenly on not
experience. Availability. demand. on just a few resources.
Predictability: Cost

We want visibility on our Track and control spends, Analyze the data to optimize Tools like pricing calculator to
spends & not a huge bill out of apply tight budgets. spending. estimate cloud spends.
the blue.
Security in the Cloud

Data Protection Threat Detection Regulatory Compliance Enhanced Data Privacy

Encryption and access controls Advanced security tools Meeting industry regulations Builds customer trust through
safeguard sensitive data. monitor for unusual activities. and compliance standards. responsible data handling.
Prevent unauthorized access Prompt detection and Auditable security practices Adheres to legal and regulatory
and data breaches. mitigation of potential threats. ensure adherence. data protection requirements.
Security in the Cloud

Cost Control Resource Management Risk Mitigation Agility and Innovation

Optimizes resource utilization Allocates resources based on Consistent policies reduce Streamlines deployment
to prevent overprovisioning. business priorities. operational risks and processes through governance
Reduces unnecessary expenses Ensures efficient resource vulnerabilities. frameworks.
through efficient management. utilization across the cloud Establishes controls to prevent Encourages innovation with the
environment. potential security breaches. confidence of established
security and governance.
Manageability

Manageability of the cloud Manageability in the cloud

Manageability of the cloud

It’s all about managing your cloud resources.

Manually deploy resources, or automatically through pre-set templates.

Get alerts around your cloud spends.

Monitor the health of resources.

Manageability in the cloud

It’s all about how you’re able to deploy Possible options are :
and manage cloud resources.
Command Line Interface (CLIs)
A Web Portal
APIs
Let’s take a quick look at
the Azure Portal!
High level operating hierarchy

Azure Account

Development Marketing
Subscriptions

RG-1 RG-2 RG-1 RG-2 RG-3 Resource Groups

Resources
Free Azure Accounts?

1) Free Azure Account: Phone Number

• Free access to popular Azure resources for 12 months. Credit Card (Will not be charged)
• A credit that can be used within the first 30 days.
• Access to more than 25 services that are ALWAYS free! GitHub/Microsoft Account

2) Student Azure Account:

Phone Number

• Free access to certain Azure resources for 12 months.

• A credit that can be used within the first 12 months.
GitHub/Microsoft Account
• Access to certain developer tools.
What is Azure?

An expanding set of services, that help you deploy A huge variety of IoT, BI, AI, ML based services – the
infrastructure and solutions with the click of a few power is all in your hands now.
buttons!
Physical
Infrastructure

• Robust infrastructure at a global scale – data

centers located strategically around the world.

• Physical facilities that house servers, storage

devices, networking equipment with dedicated
power, networking, cooling etc.

• This global presence has 2 big benefits: Disaster

Recovery & Proximity to users.
 Regions

• A geographical area on the planet with AT

LEAST 1 but potentially multiple
datacenters (connected using low-latency
networks).

• When we deploy resources, we often

need to choose the region for its
deployment. (Data residency &
compliance)

• Some Azure resources are available ONLY

in certain regions.

• Some global Azure services don’t need us

to specify a region.
Availability Zones (AZ)
AZ-1 AZ-2
• Physically separate datacenters within
an Azure Region.
• Each AZ is made up of 1 or more
datacenters.
• These datacenters have independent
cooling, power, networking.
Region
• If one goes down, other acts as a
backup.
• They’re all connected through high-
speed, low-latency fiber networks.
AZ-3
• A minimum of 3 AZ’s are present in
each Availability Zone enabled regions.
• Not all Regions support AZ’s as of today.
Availability Zones (AZ)
AZ-1 AZ-2

• Data center locations selected using a

rigorous vulnerability risk assessment
criteria.

• Increased fault tolerance!

Region

• Still a chance that a large-scale event

occurs that impacts all the Availability
Zones in a region. How to deal with
AZ-3
that?
Region Pairs
Geography

Region
AZ-1 AZ-2 Pair AZ-1 AZ-2

Region Region

AZ-3 AZ-3

Region - 1 Region - 2
Region Pairs

• Most Region are paired with another region in the same

geography at least 300 miles away.

• All Azure services DO NOT automatically replicate or fallback

to the other region, you must configure it for some cases
manually.

• E.g. – West US + East US , South-East Asia + East Asia.

• Main advantages : Fallback, data resides in same geography

for tax, jurisdiction laws etc. and to prevent outages when
rolling out updates.

• Most pairs are bi-direction but NOT ALWAYS! E.g. – West India
-> South India. South India’s secondary region is Central India.
 Sovereign
Regions

• Instances of Azure that are isolated from the main

Azure instance.

• Might be needed for compliance and regulatory

purposes.

• Eg – US DoD Central, US Gov Iowa etc.

• Operated & maintained by screened US personnel

only.

• China East, China North – Available through a

partnership between Microsoft + 21Vianet.
Microsoft doesn’t maintain the datacenters.
High level operating hierarchy

Azure Account

Development Marketing
Subscriptions

RG-1 RG-2 RG-1 RG-2 RG-3 Resource Groups

Resources
Resource Groups

• Resource is the basic building block of

Azure. Eg – VM, DBs etc.

• A resource group is a logical container for

resources.

• When we create a resource, we are

required to place it within a Resource
Group.

• If we apply a policy/rule on a resource

group, then all children (resources)
inherit those rules!
Resource Groups (RG) – Imp. Points

• A resource can only exist in 1 resource group.

• Resources can be added/removed from a RG at any time.

• A resource can be moved from one RG to another.

• A resource group can have a location different than the resources within it.

• You need to define a location for a RG upon creation.

• Resource Groups cannot be nested. E.g. – Resource Group 1 cannot contain

Resource Group 2.

• An action applied to a RG affects all resources inside it. Eg – If a RG is

deleted, all resources also get deleted.

• A resource in one resource group can connect to resources in other resource

groups.

• We can apply tags (metadata elements) to a resource group. The resources

don’t inherit those tags.
High level operating hierarchy

Azure Account

Development Marketing
Subscriptions

RG-1 RG-2 RG-1 RG-2 RG-3 Resource Groups

Resources
Subscriptions

• Unit of management and billing.

• Allow us to organize resource groups &
eventually resources.
• You NEED a subscription to use Azure. Can
have 1 or more.

Advantages –

• 1) Billing: Track billing based on departments –

billing reports!
• 2) Access Boundary: Demarcate boundaries
and give access to certain individuals – Active
Directory
Multiple applications,
teams and countries.

Don’t you think tracking

will become difficult?
High level operating
hierarchy

Azure Account

Management Groups

Development Finance R&D Marketing

Subscriptions

Development Free Dev env. Free Prod env.

Prod env. Dev env.

Management Groups – Imp. points
• All subscriptions inherit the rules/policies applied to a
management group.

• Management groups CAN be nested!

• 10,000 management groups can be contained in a single

directory.

• Each management group and subscription can support only

one parent.

• A management group tree can support up to six levels of

depth. This limit doesn't include the root level or the
subscription level.
 Virtual Machine
• It is a virtualized instance of a computer that can
perform almost all the same functions as a
computer, including running applications and
operating system.

• IaaS offering – No need to buy physical hardware.

• Perfect when – need control over the OS, running

custom software, custom hosting configurations.

• Suitable for various workloads – web apps, data

processing etc.
• Can specify size (number of cores, amt. of RAM
etc.) , storage disks (HDD, SSD etc.) and networking
configs.

• Use pre-defined images to rapidly provision VMs.

Virtual Machine - Benefits

• Can be deployed using Azure Portal, Azure CLI, Azure

Resource Manager (ARM) templates.

• Choice of OS: Windows, Linux, and specialized images

available. Great for lift and shifts!

• Scalability: Easily scale resources up or down based

on demand.

• Cost-Efficiency: Pay-as-you-go pricing model reduces

infrastructure costs.

• Security: Robust security measures, including Azure

Security Center.

• Hybrid Flexibility: Connect on-premises infrastructure

seamlessly.
Azure VM Scale Sets
• Automated way to create and manage a group of
identical, load-balanced VMs - HA & FT.

• Say you’re running an app & need multiple same VMs –

you need to ensure their configuration is the same, are
identical etc.

• With VM Scale Sets, Azure automates most of that work.

• Scale sets allow you to centrally manage, configure, and

update a large number of VMs in minutes.

• More demand? More VMs can automatically be deployed.

• Less demand? # of VM’s can be reduced.

• Load Balanced – Load is evenly distributed.

• We can also set auto scale based on a defined schedule.

Azure VM
Availability Sets
• Again focused at High Availability & Fault
Tolerance.

• Key idea – All VMs should not go offline due

to power failure or updates. This is done in 2
ways –
• 1) Fault Domain – VMs are grouped by
power source & network switch. By
default Azure will split our VMs into 3
fault domains with separate power
sources.

• 2) Update Domain – Groups VMs that

can be updated at the same time. We
can peacefully then update VMs
knowing that only one group will be
offline at a time. A group is given 30
mins to recover before this process
begins for the next group.
Azure Virtual Desktops
• A cloud-based virtualization solution that enables
secure remote access to desktop environments.

• Allows us to access a cloud-hosted version of

Windows remotely from anywhere using an
internet connection.

• Offers a flexible and cost-effective approach to

remote work solutions.

• Apps & data (running in the cloud) are separated

from the local hardware so way less chance of
confidential data remaining on the personal
device.
Azure Virtual Desktops - Benefits

• Remote Accessibility: Access desktops and apps from

anywhere with an internet connection.
• Cost Efficiency: Pay-as-you-go pricing model, reducing
the need for costly on-premises infrastructure.
• Remote Workforce Enablement: Empower employees to
work from anywhere securely.
• Legacy Application Support: Run legacy apps in modern
environments.
• Rapid Scaling: Quickly accommodate seasonal or
temporary workforce needs.
• Multi-Session Windows 10: Cost-effective option for
hosting multiple user sessions on a single VM.
• Windows 11 Single-Session: Dedicated VMs for users
needing exclusive resources.
• Linux Virtual Desktops: Support for Linux-based
environments.
Azure Containers

• VMs are excellent choices to not manage physical hardware & pay as you go. Issue –
One OS per VM.

• Containers – Run multiple instances of an app on a single machine.

• You don’t manage the OS unlike a VM and containers are much more light-weight
(package an app and all its dependencies as a single unit).

• Most popular container engine – Docker (supported)

Azure Containers

• Containers share the host operating system's kernel, which makes them extremely
resource-efficient. They use fewer system resources compared to VMs.

• Containers provide process-level isolation. Each container runs as an isolated process on

the host OS, but they all share the same OS kernel. This means they can run side by side
without interfering with each other.

• They can start quickly, often in seconds, making them suitable for microservices
architectures (break one big architecture into multiple small pieces) and dynamic
scaling.
 Azure Containers Azure Containers Azure Kubernetes
Instances Apps Service

• Easiest way to run containers in Azure. • Think of it as containers – the container • Orchestration service.
management overhead.

• PaaS offering (refer to the shared • PaaS offering (refer to the shared
responsibility chart) • PaaS offering (refer to the shared responsibility chart)
responsibility chart)

• Simply create containers & upload them • Very helpful when looking to deploy and
• Way more elastic – the ability to auto scale
– run them using this service. and load balance both are possible. manage a fleet of containers.
App Hosting Options

ü Application Hosting: The process of

deploying and running applications in a
cloud environment.

ü Most common ones – VMs &

Containers. With VMs you have Full
control over VM configuration, choice
of OS, scalability options, and security
features. Good for legacy apps requiring
full OS control.
Azure App Service

ü A solution to build and host web-apps, WebJobs, APIs and

mobile apps!

ü Supports both Windows & Linux + comes with auto-scaling

and high availability.

ü Supports multiple programming languages and has

integrated CI/CD support.

ü Full Swagger support to create Rest-based APIs.

ü Use WebJobs to run a program (Python, Java etc.) or a

script (Bash, Powershell etc.)

ü Build a back-end for iOS and Android apps - Push

Notifications, Authentication, SDK support for Xamarin,
React Native, native iOS and Android apps!

ü Full support for hosting web-apps Java, .NET, PHP, Ruby,

Python etc.
Azure Functions

ü Event-Driven serverless compute option that DOES not need a VM or

Container.

ü In most cases you need a resource to be running for your app to work – not
with Azure Functions.

ü An event will wake up your function, and you ONLY pay for the CPU time it
takes to execute the code!

ü As a developer, I only need to care about the code & not infrastructure.

ü Scalable!

ü E.g., Image compression website.

 An event occurs

Function wakes up Code is executed Function sleeps

Azure Virtual Networks

ü Fundamental component of Azure's infrastructure, providing the

framework for creating and managing networks in the cloud.

ü Virtual Networks (VNets): These are isolated, software-defined networks

within Azure. They provide segmentation and isolation for your resources.
VNets are the foundation for building your cloud infrastructure.

ü Subnets: Within VNets, you can create subnets to further segment your
network. Subnets help organize resources and control traffic flow.

VNet

Subnet - 1 Subnet - 2
Azure Virtual Networks

1. The Digital Neighborhood: Think of Azure Virtual Network as a digital neighborhood,

just like the one where you live.

2. Digital Houses: In this neighborhood, you can build digital houses (virtual machines,
servers, and services). These houses are like your online spaces.

3. Digital Streets: Azure Virtual Network has digital streets (networks) that connect all
the houses. These streets are like the pathways for your digital devices to
communicate.

4. Friendly Neighbors: Your digital devices, like your computer or phone, are like friendly
neighbors who chat and share things with each other.

5. Security Fences: Just like you have a fence around your house, you can put up security
measures to protect your digital houses from unwanted visitors (cybersecurity).

6. Visitors Welcome: You can invite digital visitors (cloud services) to your neighborhood
and let them interact with your digital houses. It's like having guests over.

7. Private Gardens: Azure Virtual Network lets you create private gardens (subnets)
within your neighborhood. You can decide which plants (resources) go where.
Azure Virtual Networks – Main Use Cases

ü Isolation and segmentation

ü Communication between resources

ü Communication between the resources & the internet

ü Communication between the resources & an on-prem

deployment

ü Filtering of Traffic

ü Routing of Traffic
Isolation and Segmentation

ü Breaking down one big monolithic network into chunks, smaller subsets.

ü Keeping different sets of resources or entities separate from one another

within a network to prevent unauthorized access, data leakage, or
interference between them – Increasing manageability.

ü Subnet Segmentation: Within a Virtual Network (VNet), you can create

multiple subnets to group resources logically. Each subnet can have its
own security policies and access controls.

ü Network Isolation: Achieved through Virtual Networks (VNets) and

Network Security Groups (NSGs) in Azure. VNets create isolated network
segments, while NSGs define access controls.

ü Resource Isolation: Azure provides various ways to isolate resources,

including Virtual Machine Scale Sets, Azure Service Environment (ASE) for
App Service, and more.
 Communication between
resources
ü Through VNets – Resources can be deployed in a Virtual
Network.

ü Virtual Network Service Endpoints – Like a secure and direct

tunnel between your Azure virtual network and specific Azure
services, such as Azure Storage or Azure SQL Database. It
allows resources within your virtual network to securely
access these Azure services over a private network connection
instead of going over the public internet.

ü Virtual Network Peering – We can even connect 2 VNets to

talk to each other / communicate. Bypasses the public internet
& can even be in different regions!
Communication with
On-Prem resources

ü Point To Site VPN – A way for individual devices, like your

computer or laptop, to securely connect to an Azure Virtual
Network (VNet) over the internet. It's like having a secure and
private road from your device to your Azure network,
ensuring that your data is transmitted safely and privately. Use
case – Remote Work

ü Site to Site VPN – A Site-to-Site (S2S) VPN in Azure is a way to

securely connect an entire on-premises network (like your
office network) to an Azure Virtual Network (VNet). It creates
a secure and encrypted connection between your on-
premises network and your Azure VNet, allowing all devices in
your local network to communicate with Azure resources as if
they were part of the same network.

ü Azure ExpressRoute
Azure ExpressRoute

Like a dedicated, private highway between your

on-premises data center or network and Microsoft
Azure's cloud infrastructure. It provides a fast,
reliable, and secure connection that bypasses the
public internet.

With Azure ExpressRoute, you can establish a

private and direct link to Azure's data centers,
ensuring low-latency, consistent performance, and
enhanced security for your data and applications.

It's like having a private road to Microsoft Azure,

allowing your organization to extend its network
into the cloud with reliability and minimal
exposure to the internet's potential risks.
Azure ExpressRoute

Azure

ExpressRoute circuit ExpressRoute circuit

Communication without
Datacenter in Canada Office in Ireland
Transferring data over public
internet
Filter Network Traffic
ü Network Security Groups (NSGs) - Like a virtual wall that you can place
around your Azure resources. It acts as a protective shield, allowing you
to define rules that control inbound and outbound traffic to and from
those resources. Think of it as a security guard that decides who can
enter and exit your building.

ü With NSGs, you can specify which network traffic is allowed or denied,
based on factors like source and destination IP addresses, ports, and
protocols.

ü Network Virtual Appliances (NVAs) – Specialized VMs that behave/act

as hardened network appliances. Eg – WAN optimization, running a
firewall etc.
Azure DNS
ü Like a big, magical address book for the internet. Instead of
people's names and phone numbers, it's filled with website
and service names and their "phone numbers" (IP addresses).

ü Every domain will translate to an IP Address. Eg.

www.hawkeyedata.ca -> Some IP Address.

ü Instead of remembering long strings of numbers (IP

addresses), you can use easy-to-recall website names like
www.azure.com. It is dynamic, real-time and global!

ü Easily manage domain name records for your Azure Services +

Provide DNS for your external resources as well!

ü Uses anycast networking - Every DNS query is answered by the

closest available DNS server. Fast performance + Scalability.

ü CAN’T use Azure DNS to buy a domain name. Can do it using a

3rd Party Registrar or App Service for an annual fee.
Azure Storage Accounts

ü Like digital warehouses where you can store and manage

various types of data in Microsoft Azure.

ü Can store various types of data, including files, databases,

backups, and unstructured data like documents and images.

ü Provides a unique namespace for your Azure Storage data

that's accessible from anywhere in the world over HTTP or
HTTPS.

ü Storage account names must be between 3 and 24

characters in length and may contain numbers and lowercase
letters only.

ü E.g. - https://<storage-accountname>.blob.core.windows.net
Azure Storage
Redundancy
ü Multiple copies of the data is stored.

ü Unplanned events like natural disasters, hardware failure, power outages

etc. can happen at any time – HA & FT.

ü Can have a Primary Region (MUST) & a Secondary Region (Optional).

ü Data in the Primary Region is always replicated 3 times - does not matter
which option we choose – HOW it is stored is the key difference.

ü Options –

Ø Locally Redundant Storage (LRS)

Ø Zone Redundant Storage (ZRS)
Ø Geo-Redundant Storage (GRS)
Ø Geo-Zone Redundant Storage (GZRS)
Locally Redundant Storage (LRS)
Primary Region

ü Replicates your data 3 times in a SINGLE datacenter in the

primary region, no secondary region.

ü Provides at least 11 nines of durability (99.999999999%) of

objects over a year.

ü Cheapest redundancy option & least durable out of all the Storage
options.
Account

ü Can protect against drive or server rack failures.

ü Think of a scenario where this 1 datacenter goes down or is

destroyed – data may be unrecoverable. Copy - 1 Copy - 2 Copy - 3

ü Microsoft highly recommends ZRS, GRS, GZRS (the other 3

options).
Zone Redundant Storage (ZRS)
Primary Region

ü Replicates your data synchronously across 3 Availability

Zones in the Primary Region, still no secondary region.
Availability Zone - 1 Availability Zone - 2

Datacenter Datacenter
ü Provides at least 12 nines of durability (99.9999999999%) of
objects over a year. Storage
Account
Storage
Account

Copy - 1 Copy - 2
ü Costlier than LRS but much more durable!

ü Data still available for read & write if a zone becomes Availability Zone - 3
unavailable – Azure will take care of DNS repointing, other
networking tasks. Datacenter

Storage
Account

ü Might be needed to meet data governance requirements –

data still in same country. Copy - 3
 ü For apps needing high durability – replicate the data in the
storage account to a secondary region (100’s of miles
away)

ü Create a storage account – select the primary region.

Paired secondary region is based on Azure Region Pairs!

ü By default, data in secondary region isn’t available for R/W

unless Primary Region fails (can enable it : RA-GRS / RA-
GZRS).

ü After Primary Region fails, the secondary becomes your

new primary!

Secondary ü RPO (Recovery Point Objective) – Point in time to which

Regions! data can be recovered : Difference between the most
recent write to the primary region & the last write to the
secondary region.
Geo Redundant Storage (GRS)
ü Like running LRS in two different regions.
ü Copies the data synchronously in a single physical location in the primary region using LRS. Then asynchronously
to a single physical location in the secondary region – region pair.
ü Durability of 16 nines over a given year! (99.99999999999999%) over a given year.
ü Think of it as LRS + LRS!

Primary Region Secondary Region

Storage Storage
Account Account

Copy - 1 Copy - 2 Copy - 3 Copy - 1 Copy - 2 Copy - 3

Geo-Zone-Redundant Storage (GZRS)
ü Copies the data across 3 availability zones in the primary region (ZRS). Then to a secondary region using LRS.
ü Durability of 16 nines over a given year! (99.99999999999999%) over a given year.
ü Think of it as ZRS + LRS!
ü Provides the maximum durability!

Secondary Region
Primary Region

Availability Zone - 1 Availability Zone - 2

Datacenter Datacenter

Storage Storage
Account Account
Storage
Copy - 1 Copy - 2
Account

Availability Zone - 3
Datacenter

Storage Copy - 1 Copy - 2 Copy - 3

Account

Copy - 3
Storage Services - Azure
Blobs

Cloud-Based Object Storage offered by Azure –

designed to store and manage unstructured data.

Data is stored in the form of objects / blobs – can be

a file, image, video, audio, logs, binary data etc.

Upload data as blobs, let Azure take care of the

physical storage - incredible scalable!

Can be accessed simply by using HTTP/HTTPS and

multiple programming languages are supported.
Azure Blob Storage Tiers

• High level idea is to manage costs based on frequency of access &

retention period.

• Hot Access Tier – Optimized for storing data that’s accessed frequently &
low-latency is needed (Your Profile Picture)
🔥

• Cool Access Tier – Optimized for storing data that’s accessed infrequently
and stored for at least 30 days (Historical data / compliance data) 🆒

• Cold Access Tier – Optimized for storing data that’s access infrequently
and stored for at least 90 days! ❄

• Archive Access Tier – Best for data that’s rarely accessed for at least 180
days with flexible latency needs. Costs the lowest but has the highest 💤
costs to rehydrate the data and then access it.
Azure Files

Fully managed file-shares in Accessible from Windows, Caching on Windows

the cloud accessible via MacOS, or Linux clients. Servers with Azure File Sync
Server Message Block near customers for lower
(SMB) or Network File latency is also possible!
System (NFS) protocols.

Can be mounted as MicrosoQ will take care of Excellent for lift and shift
Network Drives on infrastructure, high scenarios – can move both
Windows or Directories on availability and backups! app & data to the cloud
Linux and MacOS to (classic scenario) or just the
seamlessly access data. data (hybrid scenario)
Azure Queues
• A messaging service that enables async communication & storing large
number of messages (backlog).

• Each message can be upto 64KB in sizes, and millions of messages can
be stored.

• Messages are stored in the queues until they are processed by the
receiving component.

• Helps to decouple different parts of an application, making it more

resilient to failures.

• Uses HTTP/HTTPS as the protocols for communication.

• Ability to set Time-To-Live (TTL) for messages – how long a message

should remain in queue.
 An event occurs

(Upload button is clicked

on the website)

Send a message to the

message queue storage.

Code is executed Function sleeps

Function wakes up based

on the message
Azure Disks

• The primary means of persistent storage for VMs running on

Azure.

• These disks provide the storage capacity needed to store the

OS, data, applications etc.

• Wide range of disk sizes to suit storage needs.

• Managed disks are also available that handle storage for you,
including replications, backups and availability!
 Azure Tables
Storage
Table Entity
Account
• Part of the NoSQL family – suitable for storing large
amounts of structured & semi-structured data
without the need of a fixed schema. OS=MacOS
Browser = Safari

• This is great for quickly changing data requirements

& is extremely scalable. devices
OS=Windows
Browser = Chrome
• Data is stored as Key-Value pairs. HawkEye
Data

• Typically, cheaper than traditional SQL for similar

volumes of data. Name = Aman
user Id = 1x0

• Good for storing TBs of structured data that don’t

need complex joins, fast access etc.

• E.g. – Device data, metadata, user data etc.

 Migration
Process of moving resources & deployments to the cloud
Azure Migrate

• Managed service that helps to migrate from on-prem env. to

the cloud – one portal to do it all.

• Range of tools to assess, analyze & then perform the

migration.

• Dependency Mapping - It provides dependency maps,

showing which servers or components are dependent on each
other.

• Right Sizing - Azure Migrate suggests appropriate Azure VM

sizes based on the performance and resource requirements of
your on-premises workloads.

• Compatibility Analysis - It evaluates the compatibility of your

on-premises workloads with Azure, identifying any
dependencies, and providing recommendations for migration.
Azure Migrate – Integrated Tools

• Azure Migrate: Discovery & Assessment – Tool to discover and assess

on-prem servers running on Hyper-V, VMware before migration.

• Azure Migrate: Server Migration – Tool to migrate servers running on

Hyper-V, VMWare and other physical servers to Azure.

• Data Migration Assistant – Tool to assess SQL servers & identify

problems beforehand that can affect migration, new features & if
anything is unsupported.

• Azure Database Migration Assistant – Tool to migrate on-prem

databases to Azure SQL, or VMs running SQL.

• Azure Web App Migration

Azure Data Box!
Proprietary storage solution to ship data in and out of
Azure (~<50lbs)

Capacity of 80TB & shipped to your datacenter.

Can be used to copy data into it, or from it in an

inexpensive and reliable fashion.

Addresses challenges related to transferring large amounts of

data over the internet, which can be slow and costly.

Great for one-time migrations (ideally >=40TB), disaster

recovery (periodic backups), multi-cloud scenarios!

Source: https://learn.microsoft.com/en-us/azure/databox/media/data-box-overview/data-box-combined.png
Data on Azure Data Box devices is encrypted, ensuring
data security during transit.
AzCopy

• Command-line tool provided by Microsoft for efficiently copying

and transferring data to and from Azure Blob Storage, Azure Files,
and Azure Data Lake Storage & even sync data.

• Can be used to move data to and from other cloud providers too!

• Syncs are uni-directional. Specify source & destination & let it sync.

• CLI tool - Suitable for scripting, automation, and integration with

other applications and workflows.
Azure Storage Explorer
• Offers a Graphical User Interface (GUI) that
simplifies the management of Azure Blob
Storage, Azure Queue Storage, Azure Table
Storage, Azure Files, and Azure Data Lake
Storage.

• Upload to Azure , download from Azure, move

data between accounts.

• Available on multiple OS – MacOS, Windows,

Linux

• Uses AzCopy behind the scenes!

• Supports connecting to multiple Azure

subscriptions and storage accounts
simultaneously, streamlining management for
organizations with multiple accounts.
Azure File Sync

• Offers a convenient way to centralize files shares in Azure while

keeping the benefits of a Windows File Share!

• Windows Server can create a local cache.

• Azure File Sync supports multi-site synchronization, making it

suitable for organizations with distributed offices or branch
locations.

• Setup FileSync on Windows Server -> bi-directionally synced with

files.

• Configure Cloud Tiering – replicated more imp. files locally & less
imp. sit in Azure.

• Multiple protocols – SMB, NFS, FTPS

Azure Active
Directory (AD)
ü Cloud-based identity and access management service. Like
having your very own digital passport office in the cloud.
It's the place where you get your digital identity documents
and access to all your online services.

ü Serves as the foundation for secure authentication,

authorization, and management of users, devices, and
applications in the Microsoft Azure cloud environment.

ü All about managing who has access to what in your

organization's digital environment, including users, devices,
and applications.
Azure Active Directory (AD) – Key Points
 Azure Active Directory + Active Directory (On-Prem)

Azure AD

Azure AD Connect

On-prem AD
 Azure Active Directory Domain Service (DS)
Managed
VNet Domain
1. Same Key, New Places: With Azure AD DS, you can use your office key (your
username and password) to unlock doors on the internet. So, you don't need a
new key for online stuff.

2. Office Rules Apply: The same rules and settings that keep your computer safe
at the office also apply online. It's like having the same lock on your office door
and your internet accounts.

3. Easy Connections: You can connect your work computer to the internet (like a
cloud computer) and still use your office key to access files and apps, just like
you do at the office.
Azure AD
4. Extra Security: It makes sure your key works safely online by using special
codes and protections.

5. No New Keys: You don't need to remember new usernames and passwords for
internet stuff. Your office key works everywhere.
Azure AD Connect
6. Simply use AD without supporting the infrastructure it needs.

7. Great for moving legacy apps to the cloud that need modern authentication
but can't support it!
On-prem AD
8. Supports LDAP, group policies, Kerberos authentication.
Azure Authentication
Services

1. Process of establishing the identity of a

device, person or service.

2. Proving who you say you are.

3. Passwordless, MFA, SSO.

4. Trade-off between security &

convenience for the longest time.
Single-Sign On (SSO)

ü Service offered by Microsoft Azure that simplifies and streamlines the

process of signing in to multiple applications and services

ü One set of credentials to access multiple services/applications.

ü These apps and services must trust the initial authenticator.

ü Increased productivity as users can access multiple applications

seamlessly without the hassle of repeated sign-ins.

ü Improves the user experience by reducing the number of credentials

users need to remember, leading to fewer password-related issues.

ü User leaves -> delete all credentials (tracking is hard). Similarly, granting
access by mistake or extra privilege is common.
Multi-Factor
Authentication (MFA)
ü What if password gets leaked? Single point of
failure.
ü Adds an extra layer of defence – OTP (One time
passcode) is an example.
ü 3 categories :
• Something you know – OTP, passphrase,
security key, security question
• Something you have.- Mobile Phone,
Security Key
• Something you are – Biometrics like facial
scan, fingerprint etc.

ü Malicious users would need password + one of

the three above to get authorised.
Azure Passwordless

ü Alternative to traditional password + MFA combo

– can get frustrating.

ü Needs to be setup on a device for it to be used.

ü E.g. – Enroll your mobile phone -> Azure knows

who you are -> Authenticate with FaceID /
Fingerprint -> Good to go!

ü 3 options!
Windows Hello!

ü Great if you have a company issued PC.

ü Azure knows who you are using that PC.

ü Authenticate using a pin, face

recognition -> good to go!

ü In-built SSO support!

Microsoft
Authenticator App

ü Very common option especially for

BYOD enrolled mobiles!

ü ‘Approve login request’ & choose a

number.

ü FaceID / Biometric like fingerprint to

login!

ü No chances of password leaks!

FIDO2 (Fast Identity
Online)

ü Incorporates the Web Authentication

standard (WebAuthn).

ü Use security key baked into a device.

ü Mostly USB but NFC, Bluetooth also

very common.

ü Again no password that can be leaked!

External Iden,,es & Guests in Azure
ü Concept of allowing users who are not
part of your organization's primary Azure
Active Directory (Azure AD) to access and
collaborate on your Azure resources and
applications.

ü Essential for scenarios where you need to

include partners, vendors, customers, or
external collaborators in your Azure
environment.

ü Secured restricted access to resources!

 Business 2 Business (B2B)

üPartners can use their own

credentials to access your Azure
Invite Invite accept / self sign-up
resources.

üCan be invitation based or self-

service sign up!

üUsers appear as guests users in

My AD your directory.
 Business 2 Business (B2B)
Guest AD
Direct Connect

üMutual Trust RelaMonship with another

Azure AD organizaMon.

Mutual Trust üPresently works with MS Teams shared

channels.

üAccess shared Teams instance from home

credenMals itself!

My AD
üUsers not represented as guests but can
view them in this shared Teams channel.
 Business 2 Consumer (B2C)
ü Designed for customer-facing applications, where you need
to manage and authenticate many external users or
customers. Designed for customer identity and access
management.

ü Allows customizing the sign-in and registration experience.

Invite Invite accept / self sign-up

ü Supports identity providers like social media logins (e.g.,
Facebook, Google).

ü Ideal for scenarios involving e-commerce, online services, or

applications with a broad customer base.

My AD
ü Provides features like self-service password reset and multi-
factor authentication for consumer accounts.
Conditional Access
ü Like having a security gatekeeper in the cloud who's also your tech-savvy friend - helps
keep your digital world safe while making sure you have easy and secure access

ü Enhances security – ensures that the right users have the right level of access to Azure
resources and applications, while also considering factors like device health and location.

ü Policies can be based on various signals - user identity, device status, location, application
sensitivity etc. E.g., enforce multi-factor authentication (MFA) only for users accessing
sensitive applications from outside the corporate network / block requests from unusual
locations.

ü Conditional Access allows you to define access controls, such as requiring multi-factor
authentication, blocking access, granting access with limited access rights, or requiring
password changes.

ü One of the most common use cases is enforcing MFA, which adds an extra layer of
security by requiring users to provide two or more forms of verification during sign-in.

ü You can set policies to ensure that devices meet specific security and compliance
standards before granting access. This is especially important for BYOD (Bring Your Own
Device) scenarios.
Azure RBAC
• RBAC (Role-Based Access Control) is like giving people
different keys to open different doors in a building. Each
key (role) has a specific set of permissions.

• For example, some keys can open any door (Owner),

while others can only open certain rooms (Contributor),
and some can only look through the windows without
opening any doors (Reader).

• RBAC helps you control who can do what with your Azure
resources, making sure people have the right access to
do their job, but nothing more (least privilege).

• Fundamental component of Azure's identity and access

management system. It allows organizations to manage
and control access to Azure resources by assigning
specific roles and permissions to users, groups, and
applications. Enforced through Resource Manager (CLI,
Portal etc.)
Azure RBAC – Key Points

1. Purpose - Azure RBAC is designed to ensure that users and services

have the right level of access to Azure resources, limiting the risk of
unauthorized access or changes to critical resources.

2. Roles - Azure provides built-in roles, each with a specific set of

permissions that define what users with that role can do. Roles
include Owner, Contributor, Reader, and many more.

3. Custom Roles - Organizations can create custom roles to tailor access

permissions to their specific needs. Custom roles allow for fine-
grained control over access.

4. Scope - RBAC is applied at different scopes, including the

management group, subscription, resource group, or individual
resource. This means you can grant different permissions at different
levels.

5. Role Assignment - Role assignments link users, groups, or service

principals to roles at a specific scope. Role assignments define who
can do what within a given scope.
Azure RBAC – Key Points

6. Role Inheritance - Permissions can be inherited from higher scopes

to lower scopes. For example, a role assigned at the subscription
level can be inherited by all resource groups and resources within
that subscription.

6. Granular Control - Custom roles can be created with fine-grained

control over permissions. You can specify which actions users can
perform on specific resource types.

7. Least Privilege Principle - Azure RBAC encourages the principle of least

privilege, where users are granted only the permissions necessary to
perform their tasks, reducing the risk of unauthorized actions.

8. Audit and Monitoring - Azure provides auditing and monitoring

capabilities to track role assignments and changes, helping
organizations maintain security and compliance.
Concept of Zero Trust

ü Based on the principle of ’never trust, always verify’ in cybersecurity.

ü Challenges the traditional network security model, which assumes

that once someone or something is inside a network, they can be

trusted. In contrast, Zero Trust assumes that no one, whether inside

or outside the network, can be inherently trusted.

ü Requires verification and authentication for every user, device, and

application attempting to access resources.

Concept of Zero Trust – Key Points

1. Identity-Centric – Focus is on verifying the identity of users and devices before

granting access to resources. E.g. – Use MFA

2. Least Privilege - Means that users and devices should only have the minimum
level of access necessary to perform their tasks.

3. Micro-Segmentation - Involves segmenting the network into smaller zones. Each

segment has its own security policies, limiting scope for attackers.

4. Continuous Monitoring - This helps in detecting and responding to any unusual or

suspicious activities in real-time.

5. Verification of Trust - Trust is never assumed, it must be continuously verified.

Even after initial access, users and devices are subject to ongoing scrutiny to
ensure they remain trustworthy.
 Physical
Defense In Depth Identity & Access

Perimeter
• Layering to slow the advance of attackers – multiple layers instead of just one. Network
• Every layer is a backup (ready to fight) in case one is breached.
Compute
• Physical - Datacenters, disks, physical hosts etc.

• Identity & Access – Access to resources & roles / privileges + logging. Application

• Perimeter – Sniffing for DDoS attacks before they render a service unusable.

• Network – Limiting access between resources through Vnets, Subnets etc. & deny
by default.
Data
• Compute – Makes sure that VMs are safe and secure.

• Application – Makes sure that apps are safe & secure – risk assessment, pen-tests,
storing credentials separate from code etc.

• Data – The crux: Internal and External data that you’re protecting. Need to ensure
confidentiality & integrity.
 Physical
Microsoft Defender for Cloud

• Monitoring tool to assess security posture.

• Can monitor & suggest improvements for both on-prem and cloud
deployments!

• Aims to safeguard cloud resources and workloads by providing advanced

threat protecmon, security monitoring, and compliance management

• Azure – Built in support & monitoring for many resources (PaaS mostly).
On-prem & mulm cloud? Deploy Log Analymcs agent to gather
informamon.

• For mulm-cloud, the assessment will be done by Defender & a

recommendamons given for the other CSPs.

• CSD – Conmnually Assess (recommendamons/assessment), Secure (Zero

Trust) & Defend (Advanced Threat Protecmon & Alerts!).
Source : https://azure.microsoft.com/en-ca/products/defender-for-cloud
Factors that can affect cost

• No longer maintaining physical infrastructure.

• Hundreds of managed services at our disposal.

• CapEx -> OpEx model.

• Pay-as-you-go
Subscription Type

• Yes, there is a free version that allows access to certain

services for 12 months.

• After free trial is over, some services need to be paid for

based on consumption.

• Credit can be exhausted.

Resource Type

• E.g. – i3 vs i9.

• OS for VM, size of VM (smaller is generally cheaper and

bigger is expensive).

• Access Tier – Hot, Cold, Archive.

• Replication (across regions)

Resource Consumption

• Pay as you go model.

• Amount of network, storage, compute resources

used impact costs.

• Use less, pay less. Use more, pay more.

• Reserved resources also available – Up to 72%

discounts!

• Committing to using & paying for a certain

amount – 1 to 3 years + pay as you go also exists.
Geography

• Choosing the region where the

resource is to be deployed.

• Resource cost can be different based

on region – labour, maintenanct, taxes
etc.

• Moving data between different regions

can have different charges.
Network Traffic

• Many inbound transfers (data ingress) into Azure

datacenters is free. Some are NOT.

• Data egress is NOT free on many occasions.

• Inter-Region & Inter-Continental transfer is charged.

Azure Marketplace
• Like a shop with pre-built solutions from
3rd party vendors.

• Pay for resources the solutions uses +

services of the vendor.

• Solutions are certified with Azure

standards.
Pricing Calculator

ü Web-based tool that allows you to

estimate the cost of using Azure services
based on your specific requirements.

ü You can select the services,

configurations, and regions to get cost
estimates for your Azure resources.

ü Estimate before you deploy! Free to use.

Total Cost of Ownership (TCO)
Calculator

ü Helps organizations assess the cost savings and

benefits of migrating their on-premises
workloads to Azure.

ü It considers factors like hardware, software, labor,

and data center costs to provide a TCO analysis.

ü Tell it what your current infrastructure looks like

& it tells how much it costs to run the same in
Azure!
Cost Management
Tool
ü Like having a friendly piggy-bank
manager in Azure - keeps an eye on
your spending and helps you make
sure your cloud coins are used
wisely.

ü Tool within Microsoft Azure that

provides organizations with
comprehensive insights into their
cloud spending.

ü Helps them effectively manage and

optimize their Azure costs.
Cost Management Tool
– Key Points
ü Cost Visibility - Clear and detailed view of an organization's Azure
spending. It provides insights into how resources are being utilized and
how costs are distributed across different Azure services, subscriptions,
and departments.

ü Budgeting and Forecasting - Set budgets and spending limits using Cost
Management. The tool allows users to create budget plans, set alerts,
and receive notifications when spending approaches or exceeds defined
thresholds. It also offers forecasting capabilities based on historical
spending patterns. Department spending quota alerts.

ü Cost Analysis - Users can perform in-depth cost analysis to understand

spending trends and identify cost optimization opportunities. The tool
offers various filters and dimensions to slice and dice spending data,
making it easy to analyze costs by resource type, location, tags, and
more.
Cost Management Tool
– Key Points

ü Cost Allocation and Chargeback - Cost Management

enables organizations to allocate costs to specific
departments, projects, or cost centers. Useful for
organizations that want to distribute cloud costs
internally or chargeback costs to different teams.

ü Resource Optimization - The tool provides

recommendations and insights for optimizing Azure
resources to reduce costs. It identifies underutilized or
idle resources and suggests actions to right-size or
decommission them.
Source: https://azure.microsoft.com/en-us/products/cost-management
Tags

ü Tags allow you to categorize and label cloud

resources in a way that makes sense for your
organization. You can assign one or more tags to
resources, such as virtual machines, storage
accounts, and databases.

ü This categorization helps you organize resources

based on criteria like department, project,
environment (dev, test, prod), owner, or cost
center.

ü Add tags using the Azure Portal, Azure CLI, ARM

templates, REST APIs etc.
 ü Cost Allocation: By tagging resources with specific cost center or department
information, you can track and attribute cloud costs accurately. This is particularly

Tags – Key Points valuable in organizations where multiple teams share cloud resources - helps
allocate expenses to the right teams.

ü Resource Management: Tags provide an additional layer of organization and

management for your resources. You can use tags to filter and group resources in
the Azure Portal, making it easier to find and manage specific resources, especially
when you have many of them.

ü Cost Reporting and Optimization: Tags are essential for detailed cost reporting
and optimization efforts. Azure Cost Management and other cost analysis tools can
leverage tags to provide insights into spending patterns. You can create custom
reports and dashboards based on tags to track costs by various dimensions,
helping identify areas for optimization.

ü Security and Access Control: Tags can also be used in conjunction with Azure Role-
Based Access Control (RBAC) to control access to resources. You can use tags to
define specific access policies and ensure that only authorized users or teams can
manage or modify tagged resources.
Azure Policy

ü Like having a superhero for your cloud resources in Microsoft Azure. This superhero makes
sure everything in your Azure world follows the rules and stays safe.

ü A set of rules that you can define for your Azure resources.

ü These rules ensure that your resources follow specific guidelines, like having the right security
settings or using approved services. It's like setting house rules to keep everything in order and
secure in your cloud.

ü Can have both individual policies & group of policies – initiatives. Working towards a larger
goal.

ü Non-compliant resources can be denied creation. Existing ones will not be deleted by default.

ü Comes with Built-In policy initiatives.

ü E.g. – Certain # of cores only – will disallow new ones & re-evaluate old ones.
Azure Policy – Key
Points
ü Scalable and Automated: Can be applied across large numbers of
resources automatically, making it scalable for cloud environments.

ü Enforcement at Scale: You can apply policies at various levels, such as

management groups, subscriptions, or resource groups, to enforce
governance consistently.

ü Built-In and Custom Policies: It offers a library of built-in policies

covering common scenarios, and you can create custom policies
tailored to your organization's specific needs.

ü Monitoring and Reporting: Azure Policy provides monitoring and

reporting on policy compliance, helping you track and audit your
resources.

ü Integration with Azure Services: It integrates with other Azure

services like Azure Monitor and Azure Security Center to enhance
governance and security.
 Azure Blueprints

• Azure Blueprints is like creating a whole template for

your Azure environment.

• It defines a set of resources, configurations, policies,

and even roles.

• It's about creating standardized and repeatable Azure

environments. Use built-in or custom blueprints!

• Azure Blueprints is like having a blueprint for building

an entire house with all its rooms and rules in one go.
 Azure Blueprints –
Key Points

1. Purpose - Aim to accelerate the creation of compliant and consistent

Azure environments by providing a pre-defined set of resources,
configurations, and policies.

2. Resource Templates - Include Azure Resource Manager templates,

which define the infrastructure and resources to be provisioned in an
environment.

3. Compliance and Auditing: - Azure Blueprints helps organizations

maintain compliance with regulatory requirements and industry
standards. It also facilitates auditing and reporting by documenting
the deployment's configuration.

4. Blueprint Artifacts - Blueprints consist of blueprint artifacts, which

include resource groups, role assignments, policy assignments, and
Resource Manager templates. These artifacts define the
environment's structure and policies.
 Azure Blueprints –
Key Points

5. Versioning and Revisions - Support for versioning and revisions :

maintain and update blueprints as requirements evolve.

6. Blueprint Assignments - Organizations assign blueprints to

Azure subscriptions. When assigned, the blueprint artifacts are
deployed, and policies are enforced within that subscription.

7. Scalable and Repeatable - Enable the creation of repeatable

and scalable environments, making it easier to deploy resources
consistently across multiple subscriptions.

8. Integration with Azure Policy - Azure Blueprints integrates with

Azure Policy, allowing organizations to link policy assignments
directly to blueprint artifacts for policy enforcement.
Resource Locks

ü Like seat belts for your cloud resources.

ü They help keep your resources safe and

secure from unwanted changes or
deletions, just like seat belts help keep
you safe in a car.
Resource Locks – Key Points
1. Prevent Accidents: Just as a seat belt prevents you from getting hurt in a car accident, resource
locks prevent accidental changes or deletions of your critical Azure resources – safety measure.

2. Two Types of Locks: There are two types of resource locks: "CanNotDelete" and "ReadOnly."

1. "CanNotDelete" acts like a seat belt that doesn't let you remove the resource. You can
still make changes but can't delete it.

2. "ReadOnly" is like locking the resource in a glass case. You can't make any changes, like
a seat belt that keeps you in your seat.

3. Simple to Apply: Just like putting on a seat belt is easy, applying a resource lock is
straightforward in the Azure Portal.

4. Great for Critical Resources: You'd use resource locks for critical resources that you never want
to delete accidentally, like important databases or production servers.

5. Flexibility: Resource locks can be applied at different levels, such as a resource group or a single
resource.

6. Remember to Unlock: Just like you need to unbuckle your seat belt when you're out of the car,
you should remember to remove resource locks when they're no longer needed.

7. Visual Reminder: When a resource has a lock, it's like seeing a bright-colored seat belt in the
car—it reminds you to be cautious.
Azure Service Trust Portal
ü One stop shop to get information relating to Microsoft security, compliance
and privacy.

ü This portal is like a mission control center where you can see all the
operations and strategies to protect your digital world.

ü Safety Blueprints: Just like superheroes have blueprints for their secret
hideouts, Azure Service Trust Portal has blueprints for keeping your data safe.
These blueprints are called compliance reports.

ü Safe Data Centers: This portal shows you how Microsoft builds super-secure
data centers, where your digital treasures are stored.

ü Privacy Shields: Azure Service Trust Portal has privacy shields (compliance
certifications) to ensure that your personal data is handled with care.
Tools for interacting with Azure
ü 3 main ways to manage & maintain your environment – Azure Portal,
Azure CLI, Azure PowerShell.

ü Azure Portal - Web-based interface that provides a graphical and

user-friendly way to manage and monitor your Azure resources. You
can create, configure, and monitor resources using this portal. 0
downtime for maintenance activities!

ü Azure Cloud Shell – Browser based cloud shell, needs no local

installation of configs. Deploy, manage and change environments
using the shell of your choice – Azure PowerShell or Azure CLI (Bash
based)

ü Azure Powershell – Run command-lets (series of commands) on the

cloud to deploy or delete resources (one or many). Can be
automated. Azure Rest API is called to do it all. Available on Windows,
Linux, Mac!

ü Azure CLI – Uses Bash commands! An alternative language that’s all,

everything else is the same as Azure PowerShell.
Azure Resource Manager (ARM)

ü Azure’s deployment and management service.

ü Creating, updating, managing resources – ARM will step in.

ü Like having a super organized master planner for building your dream Lego
city in the cloud. It helps you assemble all the pieces (resources) together,
just the way you want.

ü Lifecycle : Portal, SDK, CLI -> ARM -> Resource -> Request completed.

ü Uses templates (JSON files) instead of scripts! Confident that resource will
be created consistently.
Azure Resource Manager (ARM) –
Key Points

1. The Lego Master Planner: ARM is like the Lego master planner who knows
exactly how to build your dream city in the cloud.

2. Resource Organizer: It helps you keep all your Lego pieces (resources like virtual
machines, databases, and networks) in one neat box, called a resource group.

3. Resource Relationships: ARM knows which Lego pieces fit together. It's like
having a guide that tells you which resources depend on others.

4. One-Stop Shop: You can use ARM to create, update, and delete all your
resources in one go. It's like getting everything you need from one store.

5. Tagging and Sorting: ARM can also label and sort your Lego pieces. It's like
having labels on your Lego bricks so you know which ones belong where.
Azure Resource Manager (ARM) –
Templates

ü All about Infrastructure as Code (IaC) – Use code to deploy resources

(Portal, PowerShell, CLI).

ü Two main categories – ARM templates & Bicep.

ü ARM – Define the resources in a JSON format. Verified & creation is

parallelized.

ü You can be rest assured that the results are repeatable, can be
orchestrated & declarative (tell what you want but don’t write code).

ü Bicep – Also declarative , but much simpler and concise file. Comes
with the benefit of modularity & support for all resources & APIs.
 ü Azure Advisor is like having a wise and friendly guru in the cloud
who helps you save money, improve your cloud efficiency, and
follow best practices. It's like getting expert advice for your digital
kingdom.

ü Can view these recommendations through portal or API – setup

notifications when new suggestions are available. Filtering is also
possible to narrow the scope.

ü Recommendations are broken into 5 categories – COPSR (Cost,

Operational Excellence, Performance, Security, Reliability).

Azure Advisor ü Helps to save money, implement best practices, and optimize
resources.
 ü Cost – To spend less overall.

ü Operational Excellence – To implement best practices &

achieve maximum efficiency.

ü Performance – Improve performance & throughput of

applications & overall environment.

ü Security – Improve overall security measures & combat

security threats.

Azure Advisor ü Reliability - Ensuring that apps & env. remain available &
robust.
 ü Azure Monitor is like having superhero senses for your cloud resources. It
gives you the ability to see, hear, and feel what's happening in your digital
world – Azure, multi-cloud, hybrid!

ü Azure Monitor collects data from various sources, including performance

metrics, application logs, infrastructure logs, and more. It can gather data from
Azure resources, operating systems, applications, and even custom sources.

ü Put together dashboards (PowerBI) to monitor everything in real-time or even

get alerts sent to you through SMS!

ü It provides two main types of data: metrics and logs. Metrics are numerical
measurements that describe the performance of a resource, such as CPU

Azure Monitor
usage or network traffic. Logs are textual records of events and activities,
which can include error messages, security events, and application traces.
Azure Log AnalyGcs

ü Logs are textual records of events and activities, which can include error
messages, security events, and application traces.

ü Serves as a centralized repository for log and telemetry data generated by

Azure resources and on-premises systems. It consolidates data from various
sources into one location for analysis.

ü It can collect data from a wide range of sources, including virtual machines,
containers, Azure services, custom applications, and third-party tools. This
data includes logs, metrics, events, and traces.

ü Run queries to analyze the data collected by Azure Monitor. Supports both
simple and complex queries.
Azure Monitor Alerts

ü Set thresholds & when they’re crossed, get notified!

ü E.g., DB has crossed 85% of total capacity - running out of

space.

ü Take corrective action – deploy more if you set it up that

way.

ü Action Group – Notification + Action (Who to alert and

what to do in response).
Azure Application Insights

ü Monitoring but for Web Apps.

ü All environments supported like Azure Monitor.

ü 2 ways – SDK in your app, or App Insights agent.

ü KPIs like response rates, page load performance, user count etc.

ü Rich Dashboards: Application Insights offers customizable dashboards and

interactive charts that allow you to visualize data, track performance metrics,
and identify bottlenecks.

ü End-to-End Tracing: It provides end-to-end tracing capabilities, allowing you to

track requests as they flow through different components of your application
stack, from the frontend to the backend.
Azure Service Health

ü Like a doctor that tells you the health of your resources

individually & the health of Azure’s global infrastructure!

ü Azure Status – Health of Azure overall across the world :

what services & region is affected, issues & anomalies etc.

ü Service Health – Health of regions and services that YOU are

using.

ü Resource Health - Health of your individual resources &

whether they are affected.