Exam Ref AZ-900

Microsoft Azure
Fundamentals
Third Edition

Jim Cheshire
Exam Ref AZ-900 Microsoft Azure EDITOR-IN-CHIEF
Brett Bartow
Fundamentals, Third Edition
EXECUTIVE EDITOR
Published with the authorization of Microsoft Corporation by:
Loretta Yates
Pearson Education, Inc.
SPONSORING EDITOR
COPYRIGHT © 2023 BY PEARSON EDUCATION, INC. Charvi Arora
All rights reserved. This publication is protected by copyright, and permission must
DEVELOPMENT EDITOR
be obtained from the publisher prior to any prohibited reproduction, storage in a
retrieval system, or transmission in any form or by any means, electronic, mechani- Rick Kughen
cal, photocopying, recording, or likewise. For information regarding permissions, MANAGING EDITOR
request forms, and the appropriate contacts within the Pearson Education Global Sandra Schroeder
Rights & Permissions Department, please visit www.pearson.com/permissions.
SENIOR PROJECT EDITOR
No patent liability is assumed with respect to the use of the information contained
Tracey Croom
herein. Although every precaution has been taken in the preparation of this book,
the publisher and author assume no responsibility for errors or omissions. Nor COPY EDITOR
is any liability assumed for damages resulting from the use of the information Rick Kughen
contained herein.
INDEXER
ISBN-13: 978-0-13-795514-5 Valerie Haynes Perry
ISBN-10: 0-13-795514-6
PROOFREADER
ibrary of ongress ontrol umber n file
Dan Foster
ScoutAutomatedPrintCode
TECHNICAL EDITOR
TRADEMARKS Tim Warner
Microsoft and the trademarks listed at http://www.microsoft.com on the “Trade-
EDITORIAL ASSISTANT
marks” webpage are trademarks of the Microsoft group of companies. All other
marks are property of their respective owners. Cindy Teeters
COVER DESIGNER
WARNING AND DISCLAIMER
Twist Creative, Seattle
Every effort has been made to make this book as complete and as accurate as pos-
sible, but no warranty or fitness is implied. he information provided is on an as COMPOSITOR
is basis. he author, the publisher, and Microsoft orporation shall have neither Danielle Foster
liability nor responsibility to any person or entity with respect to any loss or dam-
ages arising from the information contained in this book or from the use of the
programs accompanying it.

SPECIAL SALES
For information about buying this title in bulk quantities, or for special sales op-
portunities (which may include electronic versions; custom cover designs; and
content particular to your business, training goals, marketing focus, or branding
interests), please contact our corporate sales department at corpsales@pearsoned.
com or (800) 382-3419.
For government sales inquiries, please contact [email protected].
For questions about sales outside the U.S., please contact [email protected].
Pearson’s Commitment to Diversity, Equity,
and Inclusion

P earson is dedicated to creating bias free content that re ects the diversity of all learners. e
embrace the many dimensions of diversity, including but not limited to race, ethnicity, gen-
der, socioeconomic status, ability, age, sexual orientation, and religious or political beliefs.
Education is a powerful force for equity and change in our world. It has the potential to de-
liver opportunities that improve lives and enable economic mobility. As we work with authors to
create content for every product and service, we acknowledge our responsibility to demonstrate
inclusivity and incorporate diverse scholarship so that everyone can achieve their potential
through learning. As the world’s leading learning company, we have a duty to help drive change
and live up to our purpose to help more people create a better life for themselves and to create
a better world.
Our ambition is to purposefully contribute to a world where:
■ Everyone has an equitable and lifelong opportunity to succeed through learning.
■ Our educational products and services are inclusive and represent the rich diversity
of learners.
■ ur educational content accurately re ects the histories and experiences of the learners
we serve.
■ Our educational content prompts deeper discussions with learners and motivates them
to expand their own learning (and worldview).
While we work hard to present unbiased content, we want to hear from you about any
concerns or needs with this Pearson product so that we can investigate and address them.
Please contact us with concerns about any potential bias at
https://www.pearson.com/report-bias.html.
Contents at a glance

Introduction xvii

CHAPTER 1 Describe cloud computing 1

CHAPTER 2 Describe Azure architecture and services 27

CHAPTER 3 Describe Azure management and governance 127

Index 205
Contents

Introduction xvii
Organization of this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Preparing for the exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xviii

Microsoft certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xviii

Quick access to online references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xviii

Errata, updates & book support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Stay in touch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Chapter 1 Describe cloud computing 1

Skill 1.1: Describe cloud computing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Cloud computing 2

Shared responsibility model 2

Cloud models 3

The consumption-based model 5

Comparing cloud models 6

ill 1.2 escribe the benefit of using cloud services . . . . . . . . . . . . . . . . . . . . . 7

High availability and scalability 8

Reliability and predictability 12

Security and governance 13

Manageability in the cloud 14

vii
 Skill 1.3: Describe cloud service types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Infrastructure-as-a-Service (IaaS) 15

Platform-as-a-Service (PaaS) 17

Software-as-a-Service (SaaS) 20

Use cases for each cloud service type 21

Thought experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Thought experiment answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Chapter 2 Describe Azure architecture and services 27

Skill 2.1: Describe the core architectural components of Azure . . . . . . . . . . . 28

Azure regions, regional pairs, and sovereign regions 29

Availability zones 31

Azure datacenters 33

Azure resources and resource groups 34

Azure subscriptions 37

Management groups 40

Hierarchy of resource groups, subscriptions, and management

groups 42

Skill 2.2: Describe Azure compute and networking services . . . . . . . . . . . . . 42

Compute types 43

Options for Azure virtual machines 47

Resources required for virtual machines 57

Application hosting options 59

Virtual networking 65

Skill 2.3: Describe Azure Storage services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Azure Storage services 79

Storage tiers 82

viii CONTENTS
 Redundancy options 83

Storage accounts and storage types 86

Moving files to and from Azure torage 87

Migrating to Azure 90

Skill 2.4: Describe Azure identity, access, and security . . . . . . . . . . . . . . . . . . . 93

Directory services in Azure 94

Authentication methods in Azure 97

External identities and guest access 102

Azure AD Conditional Access 107

Role-based access control (RBAC) 108

Defense in depth and Zero-trust 113

Microsoft Defender for Cloud 115

Thought experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

Governing VMs and keeping them available 119

Minimizing expenses for small workloads 120

Fault-tolerant VMs 120

Cost-effective app usage 120

Fast and easy web app management 120

Connecting VNets and DNS management 121

Storage migration, security, and governance 121

Effective and secure collaboration with resources 121

Thought experiment answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Governing VMs and keeping them available 122

Minimizing expenses for small workloads 122

Fault-tolerant VMs 122

Cost-effective app usage 122

Fast and easy web app management 123

Connecting VNets and DNS management 123

CONTENTS ix
 Storage migration, security, and governance 123

Effective and secure collaboration with resources 123

Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Chapter 3 Describe Azure management and governance 127

Skill 3.1: Describe cost management in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Factors that can affect costs 128

Reducing Azure costs 129

Pricing calculator and Total Cost of Ownership (TCO)

calculator 130

Total Cost of Ownership calculator 132

Azure Cost Management and Billing 136

Tags 140

Skill 3.2: Describe features and tools in Azure for governance

and compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141

Azure Blueprints 142

Azure Policy 149

Resource locks 155

Service Trust Portal 158

Skill 3.3: Describe features and tools for managing and

deploying Azure resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Azure portal 159

Azure PowerShell 168

Azure command-line interface (CLI) 170

Azure Cloud Shell 173

Azure Arc 178

Azure Resource Manager (ARM) and ARM templates 179

x CONTENTS
Skill 3.4: Describe monitoring tools in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Azure Advisor 183

Azure Service Health 185

Azure Monitor 187

Thought experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Forecasting expenses 200

Categorizing expenses 200

Applying governance to resources 200

Preventing the deletion of resources 200

Effective deployment of Azure resources 201

Monitoring application performance 201

Reporting on the health of resources 201

Thought experiment answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Forecasting expenses 201

Categorizing expenses 202

Applying governance to resources 202

Preventing the deletion of resources 202

Effective deployment of Azure resources 202

Monitoring application performance 203

Reporting on the health of resources 203

Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Index 205

CONTENTS xi
Acknowledgments

I’d like to express my deep gratitude to the following people, without whom this book would
not have been possible.
Thank you to Loretta Yates for bringing me into this project. After two decades of working
together on numerous pro ects, you still seem to find a way to bring freshness and excitement
to each one. Thank you, Rick Kughen, for painstakingly editing every corner of this book to
make it a better reading experience. Thanks to Tim for all the times you made me take a sec-
ond look at my approach and for adding real value with your ideas. Thanks to Charvi Arora for
taking care of all the details that keep everything on track. Finally, thank you to all the people
at Microsoft Press who worked so hard to create this book from the digital manuscript.

xiii
About the author

Jim Cheshire is a technology enthusiast with more than 25 years of experience in various roles
within IT. Jim has authored more than 15 books on technology, and he’s held numerous train-
ing sessions on Microsoft Azure, both in private enterprises and through Safari’s Live Training
program. You can follow Jim and interact with him on LinkedIn at https://www.linkedin.com/
in/jimcheshire. Jim is in his 24th year at Microsoft, and he’s currently focused on the technical
skilling strategy for Microsoft’s developer offerings, Microsoft Azure, and Microsoft Windows.

xv
Introduction

Both businesses and individuals are adopting cloud technologies at a breakneck pace, and
Microsoft Azure is often the choice for cloud-based applications and services. The purpose
of the AZ-900 exam is to test your understanding of the fundamentals of Azure. The exam
includes high level concepts that apply across all of Azure to important concepts specific to
particular services of Azure. Like the exam, this book is geared toward giving you a broad
understanding of Azure itself as well as many common services and components in Azure.
While we’ve made every effort possible to make the information in this book accurate,
Azure is rapidly evolving. There’s a chance that some of the screens in the Azure portal are
slightly different now than when this book was written. It’s also possible that other minor
changes have taken place, such as minor name changes in features and so on.
n this edition of the boo , we ve meticulously reviewed the content in the first two edi-
tions and updated everything to re ect the current state of Azure. e ve also reorganized
the boo and added new content to re ect the current state of the A 900 exam. Microsoft
has recently added new concepts, services, and Azure features to the AZ-900 exam, and we’ve
added those to this edition. We’ve also corrected a few things and made quite a few changes
based on reader feedbac from the first two editions.
This book covers every major topic area found on the exam, but it does not cover every
exam question. Only the Microsoft exam team has access to the exam questions, and Microsoft
regularly adds new uestions to the exam, ma ing it impossible to cover specific uestions.
You should consider this book a supplement to your relevant real-world experience and other
study materials. In many cases, we’ve provided links in the “More Info” sections of the book,
and these links are a great source for additional study.

Organization of this book

This book is organized by the “Skills measured” list published for the exam. The “Skills mea-
sured” list is available for each exam on the Microsoft Learn website: http://microsoft.com/learn.
Each chapter in this book corresponds to a major topic area in the list, and the technical tasks
in each topic area determine a chapter’s organization. Because the AZ-900 exam covers three
major topic areas, this book contains three chapters.

xvii
 Preparing for the exam
Microsoft certification exams are a great way to build your resume and let the world now
about your level of expertise. ertification exams validate your on the ob experience and
product knowledge. Although there is no substitute for on-the-job experience, preparation
through study and hands-on practice can help you prepare for the exam. We recommend that
you augment your exam preparation plan by using a combination of available study materials
and courses. For example, you might use the Exam Ref and another study guide for your ”at-
home preparation and ta e a Microsoft fficial urriculum course for the classroom experi-
ence. Choose the combination that you think works best for you.
Note that this Exam Ref is based on publicly available information about the exam and the
author’s experience. To safeguard the integrity of the exam, authors do not have access to the
live exam.

icroso t certifications
Microsoft certifications distinguish you by proving your command of a broad set of s ills and
experience with current Microsoft products and technologies. The exams and corresponding
certifications are developed to validate your mastery of critical competencies as you design
and develop or implement and support solutions with Microsoft products and technologies
both on premises and in the cloud. ertification brings a variety of benefits to the individual
and to employers and organizations.

MORE INFO ALL MICROSOFT CERTIFICATIONS

For information about Microsoft certifications, including a full list of available certifications,
go to http://www.microsoft.com/learn.

Quick access to online references

Throughout this book are addresses to webpages that the author has recommended you visit
for more information. Some of these links can be very long and painstaking to type, so we’ve
shortened them for you to make them easier to visit. We’ve also compiled them into a single
list that readers of the print edition can refer to while they read.
Download the list at MicrosoftPressStore.com/ExamRefAZ9003e/downloads
The URLs are organized by chapter and heading. Whenever you come across a URL in the
boo , find the hyperlin in the list to go directly to the webpage.

xviii INTRODUCTION
Errata, updates & book support
We’ve made every effort to ensure the accuracy of this book and its companion content. You
can access updates to this book—in the form of a list of submitted errata and their related
corrections—at:
MicrosoftPressStore.com/ExamRefAZ9003e/errata
If you discover an error that is not already listed, please submit it to us at the same page.
For additional book support and information, please visit MicrosoftPressStore.com/Support.
Please note that product support for Microsoft software and hardware is not offered
through the previous addresses. For help with Microsoft software or hardware, go to
http://support.microsoft.com.

Stay in touch
Let’s keep the conversation going! We’re on Twitter: http://twitter.com/MicrosoftPress.

INTRODUCTION xix
CHAPTER 2

Describe Azure architecture

and services
In Chapter 1, “Describe cloud computing,” you learned about the cloud and how you can
benefit from using cloud services. Microsoft Azure was mentioned, but not in much detail.
n this chapter, we dive into the many services and solutions that Azure offers. ou ll gain
an understanding of the ey concepts in Azure s architecture, which apply to all Azure ser-
vices. e cover Azure datacenters and ways that Microsoft implements fault tolerance and
disaster recovery by spreading Azure infrastructure across the globe. ou ll also learn about
availability zones, which are Microsoft s solution for ensuring your services aren t affected
when a particular Azure datacenter experiences a problem.
ou ll also discover how to manage and trac your Azure resources and how you can wor
with resources as a group using Azure resource groups. ou ll learn how to use resource
groups to plan and manage Azure resources and how resource groups can help you catego-
rize your operational expenses in Azure.
nce you have the foundational understanding of Azure, you ll dig into some of the
compute and networ ing services in Azure. ou ll learn about Azure irtual Machines and
irtual Machine cale ets. ou ll learn about some of the application hosting options such as
Azure App ervice, and you ll learn about networ ing services in Azure, such as Azure irtual
etwor s, Azure , and Azure ateway.
e ll then loo at some of the storage services in Azure. ou ll learn about storage tiers
and redundancy options, and we ll loo at how you can move files into Azure torage easily.
e ll close out the chapter with a discussion of identity, access, and security. ou ll learn
about Azure Active irectory and authentication methods in Azure. ou ll also learn about how
you can control access to your Azure resources and your options for eeping them secure.
f you thin that s a lot to cover, you re right t s important for you to understand all
these topics to pass the A 900 exam. ith the foundational nowledge of the cloud from
hapter 1, escribe cloud computing, you ll find that understanding Azure specific con-
cepts will be easier than you thin .

27
 Skills covered in this chapter:
■ escribe the core architectural components of Azure
■ escribe Azure compute and networ ing services
■ escribe Azure torage services
■ escribe Azure identity, access, and security

Skill 2.1: Describe the core architectural components

of Azure
f you were to as any E to list the five most important assets of their company, it is li ely
that the company s data would be near the top of the list. he world we live in revolves around
data. ust loo at companies li e Meta the company that owns aceboo and oogle. hese
companies offer services to us that we li e. Everyone li es loo ing at pictures from friends and
family on aceboo mixed in with things we don t li e so much , and many people use oogle
to loo for things on the internet. Meta and oogle don t offer those services because they
want to be nice to us. hey offer those services because it s a way for them to collect a large
amount of data on their customers, and that data is their most valuable asset.
Meta and oogle aren t alone. Most companies have vast amounts of data that is ey to
their business and eeping that data safe is at the cornerstone of business decisions. hat s
why some companies are hesitant to move to the cloud. hey re afraid of losing control of their
data. ot only are they afraid that someone else might gain access to sensitive data, but they re
also concerned about losing data that would be difficult or even impossible to re create.
Microsoft is eenly aware of those fears, and Azure has been designed from the ground up
to instill confidence in this area. et s loo at some core architectural components that help
Microsoft deliver on the cloud promise.

This section covers:

■ Azure regions, regional pairs, and sovereign regions
■ Availability zones
■ Azure datacenters
■ Azure resources and resource groups
■ Azure subscriptions
■ Management groups
■ Hierarchy of resource groups, subscriptions, and management groups

28 CHAPTER 2 escribe Azure architecture and services

Azure regions, regional pairs, and sovereign regions
he term cloud tends to ma e people thin of Azure as a nebulous entity that you can t clearly
see, but that would be a mista e. hile there certainly are logical constructs to Azure, there are
also physical components to it. After all, at the end of the day, we re tal ing about computers
n order to provide Azure services to people around the world, Microsoft has created
boundaries called geographies. A geography boundary is oftentimes the border of a country,
and there s good reason for that. here are often regulations for data handling that apply to an
entire country, and having a geography defined for a country allows Microsoft to ensure that
data handling regulations are in place. Many companies especially ones that deal with sensi-
tive data are also much more comfortable if their data is contained within the confines of the
country in which they operate.
here are numerous geographies in Azure. or example, there s a nited tates geography,
a anada geography, a geography, and so on. Each geography is bro en out into two or
more regions, each of which is typically hundreds of miles apart. As an example, within the
nited tates geography, there are many regions, including the entral region in owa, the
East region in irginia, the est region in alifornia, and the outh entral region in
exas. Microsoft also operates isolated regions that are completely dedicated to government
data because of the additional regulations that governmental data re uires.
ithin each geography, Microsoft has created another logical boundary called a regional pair.
Each regional pair contains two regions within the geography. hen Microsoft must perform
updates to the Azure platform, they perform those updates on one region in the regional pair.
nce those updates are complete, they move to the next region in the regional pair. his ensures
that the availability of your services operating within a regional pair aren t impacted by updates.

MORE INFO REGIONAL PAIRS

To benefit from regional pairs, you should make sure to deploy resources redundantly
to each region within the pair. You can find a list of all regional pairs by browsing to
https://bit.ly/az900-regionpairs.

EXAM TIP
The fact that each geography contains at least two regions separated by a large physical dis-
tance is important. That’s how Azure maintains disaster recovery, and it’s likely this concept
will be included on the exam.

Microsoft provides tools to control the use of Azure resources to meet corporate policies,
but some compliance re uirements can t be met by simply applying policies. or example,
some government compliance scenarios re uire that data stays within the nited tates of

ill 2.1 escribe the core architectural components of Azure CHAPTER 2 29

 America and that only citizens of the nited tates have any access to systems used to store
that data. ou can t meet this re uirement with policies. n fact, you can t meet that re uire-
ment at all in the public cloud. o address this type of issue, Microsoft has several sovereign
clouds that are separated from their public cloud offerings.
o address concerns related to the government of the nited tates, Microsoft developed
completely isolated Azure datacenters that ma e up the Azure overnment cloud. Azure
overnment datacenters are separate from public datacenters. All employees wor ing in
Azure overnment are screened and are citizens of the . Even Microsoft employees who
provide technical support to Azure overnment customers are re uired to be citizens.
Because Microsoft also wanted to allow for compliant communication between the Azure
overnment cloud and on premises government systems, they also developed dedicated
networ ing infrastructure that is completely isolated from other Azure networ s and that uses
its own dedicated fiber optic components.
Azure overnment isn t only for federal government agencies. ities and municipalities
also ta e advantage of Azure overnment for compliance. hen a customer signs up for
Azure overnment, Microsoft vets that user to ensure they are representative of a government
agency. nly then are they given a subscription to Azure overnment.
he Azure overnment cloud has all the same features and services as the public cloud,
but there are small differences. or example, the portal for Azure overnment is located at
https://portal.azure.us instead of https://portal.azure.com. R s for Azure services also use the
.us top level domain, so if you create an App ervice web app in Azure overnment, your
default domain name is https://webapp.azurewebsites.us. However, outside of that difference,
everything else is the same, so developers who have a s ill set in cloud development in Azure
will find that their s ills transfer directly to Azure overnment.
he nited tates epartment of efense has additional compliance re uirements called
o mpact evel 5 rovisional Authorization. ompliance with this relates to controlled
unclassified information that re uires additional levels of protection. hese additional o
re uirements are met by a subset of datacenters within Azure overnment that are approved
for o usage.
Microsoft also understands that the strict re uirements in the E need a uni ue approach,
so they developed another sovereign cloud called Azure ermany. Much li e Azure overn-
ment, Azure ermany is a distinct cloud system that s designed to meet specific compliance
needs. Azure ermany is available to customers doing business in the E , the European ree
rade Association, and the .
Azure ermany datacenters are physically located in ermany and are operated under strict
security measures by a local company named ystems nternational a subsidiary of eutsche
ele om that operates as a data trustee. he data trustee has full control over all data stored
in Azure ermany and all the infrastructure used to house that data. Microsoft is involved in
managing only those systems that have no access at all to customer data.

30 CHAPTER 2 escribe Azure architecture and services

 Another region where Azure has specific re uirements is hina. Microsoft operates another
separate cloud in hina called Microsoft Azure hina. Azure hina is operated by hanghai
Blue loud echnology o., td. fre uently referred to as simply Blue loud . Blue loud is
owned by Bei ing 21 ianet Broadband ata enter o., td. often called 21 ianet , an internet
and datacenter service provider in hina. Because of this relationship, you may see Azure hina
referred to as Microsoft Azure operated by 21 ianet or simply Azure 21 ianet.
Azure hina doesn t offer the full set of features offered in other Azure clouds, but Microsoft
is wor ing hard to add additional features and services. or all the details on what is and isn t
offered in Azure hina, browse to https://bit.ly/az900-azurechina.

Availability zones
he fact that regions are physically separated by hundreds of miles protects Azure users from
data loss and application outages caused by disasters in a particular region. However, it s also
important that data and applications maintain availability when a problem occurs at a particu-
lar building within a region. or that reason, Microsoft developed availability zones.

NOTE AVAILABILITY ZONE AVAILABILITY

Availability zones aren’t available in all Azure regions, nor are they available for all Azure
services in regions that support them. For the most up-to-date list of availability zone-
enabled regions and services, see https://bit.ly/az900-azones.

here are at least three availability zones within each enabled region, and each availabil-
ity zone has a water supply, cooling system, networ , and power supply that is isolated from
other zones. By deploying an Azure service in two or more availability zones, you can achieve
high availability in a situation where there is a problem in one zone.

EXAM TIP
Availability zones provide high availability and fault tolerance, but they might not help
you with disaster recovery. If there is a localized disaster, such as a fire in a datacenter that
houses one zone, you will benefit from availability zones. Because availability zones are in
the same Azure region, if there is a large-scale natural disaster such as a tornado, you might
not be protected. In other words, availability zones are ust one facet to an overall disaster
recovery and fault-tolerant design.

Because availability zones are designed to offer enhanced availability for infrastructure,
not all services support availability zones. or example, Azure has a service called App er-
vice ertificates that allows you to purchase and manage an certificate through Azure. t
wouldn t ma e any sense to host a certificate in App ervice ertificates within an availability
zone because it s not an infrastructure component.

ill 2.1 escribe the core architectural components of Azure CHAPTER 2 31

 By deploying your service to two or more availability zones, you ensure the maximum avail-
ability for that resource. n fact, Microsoft guarantees 99.99 percent uptime for Azure virtual
machines only if two or more Ms are deployed into two or more zones. igure 2 1 illustrates
the benefit of running in multiple zones. As you can see, even though availability zone 3 has
gone of ine for some reason, zones 1 and 2 are still operational.

FIGURE 2-1 Azure virtual machine inside of three availability zones

NOTE THE STATUS OF AZURE

Microsoft operates a website that shows the status of all Azure services. If you notice a prob-
lem with your resources, you can check the Azure Status page at https://status.azure.com.

EXAM TIP
Don’t confuse availability zones with availability sets. Availability sets allow you to create
two or more virtual machines in different physical server racks in an Azure datacenter.
Microsoft guarantees a 99.95 percent SLA with an availability set.
An availability zone allows you to deploy to two or more distinct datacenters physical
buildings within a region. Microsoft guarantees a 99.99 percent SLA with availability zones.

here are two categories of services that support availability zones zonal services and zone-
redundant services. onal services are services such as virtual machines, managed dis s used in
a virtual machine, and public addresses used in virtual machines. o achieve high availability,
you must explicitly deploy zonal services into two or more zones.

NOTE MANAGED DISKS AND PUBLIC IP ADDRESSES

When you create a virtual machine in Azure and you deploy it to an availability zone, Azure
will automatically deploy the managed disk s and public IP address if one is configured to
the same availability zone.

32 CHAPTER 2 escribe Azure architecture and services

 one redundant services are services such as zone redundant storage and databases.
o use availability zones with these services, you specify the option to ma e them zone redun-
dant when you create them. or storage, the feature is called R , or zone redundant storage.
or database, there is an option to ma e the database zone redundant. Azure ta es care
of the rest for you by replicating data automatically to multiple availability zones.

Azure datacenters
At each region, Microsoft has built datacenters physical buildings that contain the physical
hardware that Azure uses. hese datacenters contain climate controlled buildings that house
the server rac s containing physical computer hardware. Each region also operates on its own
networ infrastructure, and Microsoft has designed the networ s for low latency. herefore,
any Azure services you have in a particular region will have reliable and fast networ connec-
tivity with each other.

MORE INFO CUSTOMERS ONLY SEE REGIONS

When a customer is creating Azure resources, only the region is visible. The concept of
geographies is an internal implementation of Azure that customers don’t really have
visibility of when using Azure. Customers also don’t have visibility into the concept of
regional pairs, but they can see each region within a regional pair.

Each datacenter has an isolated power supply and power generators in case of a power
outage. All the networ traffic entering and exiting the datacenter goes over Microsoft s own
fiber optic networ on fiber owned or leased by Microsoft. Even data that ows between re-
gions across oceans travels over Microsoft s fiber optic cables that traverse the oceans.

MORE INFO DATACENTER POWER

A 0 study found that Microsoft Azure was up to 93 percent more efficient than using
on-premises services, and by 0 5, Microsoft is committed to 00 percent renewable energy
in Azure datacenters.
To remove reliance on third-party power providers, Microsoft is also investing in the devel-
opment of natural gas-powered, fully integrated fuel cells for power. Not only do fuel cells
provide clean power, but they also remove the power uctuations and other disadvantages
of relying on the power grid. In late uly 0 0, Microsoft announced that it had developed a
hydrogen-fueled cell that could run an Azure datacenter for consecutive hours.

o ensure that data in Azure is safe from disasters and failures caused by possible problems
in a particular region, customers are encouraged to replicate data in multiple regions. or
example, if the outh entral region is hit by a devastating tornado not out of the ues-
tion in exas , data that is also replicated to the orth entral region in llinois is still safe
and available. o ensure that applications are still performing as uic ly as possible, Microsoft
guarantees round trip networ performance of 2 milliseconds or less between regions.

ill 2.1 escribe the core architectural components of Azure CHAPTER 2 33

 Azure resources and resource groups
ou might thin that moving to the cloud isn t as simple as it first seemed. reating a single
resource in Azure is pretty simple, but most Azure services are made up of many resources.
or example, when you create a virtual machine, you re creating a virtual networ , a networ
adapter, an address, a dis , and many other resources. irtual machines aren t uni ue in this
respect. A single Azure deployment is typically made up of many Azure resources, some of
which you explicitly create and others that are created implicitly by Azure.
ow add the complexity when you re dealing with enterprise level applications that consist
of a complex array of Azure services or applications that involve multiple layers of complexity
spread across multiple Azure regions. hings can certainly get chaotic uic ly.
ortunately, Azure provides a feature that helps you deal with this ind of problem the re-
source group. A resource group is a logical container for Azure resources. By creating all Azure
resources associated with a particular application in a single resource group, you can then
deploy and manage all those resources as a single entity.
rganizing Azure resources in a resource group has many advantages. ou can easily set
up deployments using a feature nown as an Azure Resource Manager ARM template. ARM
template deployments are typically for a single resource group. ou can deploy to multiple
resource groups but doing so re uires you to set up a complicated chain of ARM templates.

MORE INFO MORE ON ARM TEMPLATES

You’ll learn more about ARM templates in Skill 3.3, “Describe features and tools for manag-
ing and deploying Azure resources, in Chapter 3.

Another advantage to resource groups is that you can name a resource group with an easily
recognizable name so that you can see all Azure resources used in a particular application at a
glance. his might not seem so important until you start deploying Azure resources and realize
that you have many more resources than you first thought. f you re loo ing at all your Azure
resources, it can be hard to differentiate which resources go with which app. Resource groups
solve that problem.
n igure 2 2, you can see a lot of Azure services. ome of these were automatically created
by Azure to support other services, and in many cases, Azure gives the resource an unrecog-
nizable name.

34 CHAPTER 2 escribe Azure architecture and services

FIGURE 2-2 All my Azure resources

n igure 2 3, you can see resources that are in the WebStorefront resource group. hese are
the Azure resources used in the e commerce storefront.

FIGURE 2-3 An Azure resource group

ill 2.1 escribe the core architectural components of Azure CHAPTER 2 35

 t s convenient to see all the resources associated with a particular app, but you aren t
loc ed into that paradigm. his is a useful example, because it s a common use of resource
groups however, you can organize your resource groups any way you choose. otice in ig-
ure 2 3 that you see resources in several different Azure regions Regions are in the ocation
column . f you have access to multiple Azure subscriptions, you can also have resources from
multiple subscriptions in a single resource group.
f you loo at the left side of igure 2 3, you ll see a menu of operations that you can per-
form on your resource group. e won t go into all of these because it s out of scope for the
A 900 exam, but there are a few that clarify the benefit of resource groups.
f you clic Resource Costs, you can see the cost of all the resources in this resource group.
Having that information at your fingertips is especially helpful in situations where you want
to ma e sure certain departments in your company are charged correctly for the resources
they use. n fact, some companies will create resource groups for each department rather than
creating resource groups scoped to applications. Having a ales and Mar eting resource group
or an upport resource group, for instance, can help you immensely when reporting and
controlling costs.

EXAM TIP
An Azure resource can only exist in one resource group. In other words, you can’t have a
virtual machine in a resource group called WebStorefront and in a resource group called
SalesMarketing, because it must be in one group or the other. You can move Azure re-
sources from one resource group to another.

MORE INFO MOVING AZURE RESOURCES

Moving Azure resources between resource groups or subscriptions isn’t without risk. Micro-
soft has documented some things you can do to avoid problems when moving resources.
You can read that guidance by browsing to https://bit.ly/az900-movingresources.

ou can also clic Automation Script, and Azure will generate an ARM template that you
can use to deploy all these Azure resources. his is useful in a situation where you want to de-
ploy these resources later or when you want to deploy them to another Azure subscription.
hen you delete a resource group, all the resources in that resource group are automati-
cally deleted. his ma es it easy to delete multiple Azure resources in one easy step. uppose
you are testing a scenario and you need to create a couple of virtual machines, a database, a
web app, and more. By placing all these resources in one resource group, you can easily delete
that resource group after your testing and Azure will automatically delete all the resources in
it for you. his is a great way to avoid unexpected costs associated with resources you are no
longer using.

36 CHAPTER 2 escribe Azure architecture and services

Azure subscriptions
ou get an Azure subscription automatically when you sign up for Azure, and all the resources
you create are created inside that subscription. ou can, however, create additional subscrip-
tions that are tied to your Azure account. Additional subscriptions are useful in cases where
you want to have some logical groupings for Azure resources or if you want to be able to
report on resources used by specific groups of people.
Each Azure subscription has limits sometimes called uotas assigned to it. or example,
you can have up to 250 Azure storage accounts per region in a subscription, up to 25,000 vir-
tual machines per region, and up to 980 resource groups per subscription across all regions.

MORE INFO SUBSCRIPTION LIMITS

You can find details on Azure subscription limits at https://bit.ly/az900-sublimits.

EXAM TIP
Microsoft support can increase limits in some scenarios if you have a good business ustifi-
cation. Some limits, however, cannot be increased.

igure 2 shows an Azure subscription in the Azure portal.

FIGURE 2-4 Azure subscription in the Azure portal

ill 2.1 escribe the core architectural components of Azure CHAPTER 2 37

 On the Overview blade, you can see a chart of your spending rate and forecasted costs,
along with a cost brea down for each of the resources. f you clic the View Details button on
the Costs By Resource tile, you can see a further brea down of the Azure expenses, as shown
in igure 2 5. n this view, you see costs by Service Name, Location (Azure region), and
Resource Group, along with a graph of the costs for the month.

FIGURE 2-5 Azure subscription cost analysis

MORE INFO CREATING BUDGETS

You can manage your costs in Azure by creating budgets. You’ll learn more about that in
Skill 3. , “Describe cost management in Azure, in Chapter 3.

Azure invoices are also available for the subscription from within the Azure portal. ou can
see your current Azure invoice as well as all past invoices by clic ing nvoices in the menu for
the subscription.

38 CHAPTER 2 escribe Azure architecture and services

 ou can create additional Azure subscriptions in your Azure account. his is useful in cases
where you want to separate costs or if you are approaching a subscription limit on a resource.
o create a new Azure subscription, type subscription in the search box and clic Subscrip-
tions, as shown in igure 2 6.

FIGURE 2-6 Azure subscriptions

o create a new subscription, clic Add in the Subscriptions blade, as shown in igure 2 7.

Add button

FIGURE 2-7 Creating a new subscription

After you clic Add, you need to choose which type of subscription you want to create.
here are several types of Azure subscriptions
■ Free Trial rovides free access to Azure resources for a limited time. nly one free trial
subscription is available per account, and you cannot create a new free trial if a previous
one has expired.
■ Pay-As-You-Go ou pay only for those resources you use in Azure. here s no up
front cost, and you can cancel the subscription at any time.
■ Azure For Students A special subscription designed for exploring Azure services.
t provides free Azure credits and access to many services free for 12 months.

ill 2.1 escribe the core architectural components of Azure CHAPTER 2 39

 NOTE AZURE SUBSCRIPTION TYPES

Depending on the type of Azure account you have, you might have additional subscrip-
tion options.

EXAM TIP
Each subscription is associated with a globally unique identifier called a subscription ID. You
can give each subscription a descriptive name to help you identify it, but Azure will always
use the subscription ID to identify your subscription. When you talk to Microsoft about your
Azure account, they’ll also often ask for your subscription ID.

ou now understand Azure subscriptions and how you can create additional subscriptions
if needed. nce you ve created additional subscriptions and resources in those subscriptions,
you might find that managing all your resources becomes more cumbersome. o help with
that, Microsoft has developed a feature called management groups.

Management groups
Management groups are a convenient way to apply policies and access control to your Azure
resources. Much li e a resource group, a management group is a container for organizing
your resources. However, management groups can contain only Azure subscriptions or other
management groups.

NOTE AZURE IDENTITY AND GOVERNANCE

At this point, you aren’t expected to understand concepts such as access control and poli-
cies. Access control is introduced in Skill . , “Describe Azure identity, access, and security,
and policies are discussed in Skill 3. , “Describe features and tools in Azure for governance.

n igure 2 8, three management groups have been created for a company. he ales ept.
management group contains subscriptions for the sales department. he ept. manage-
ment group contains a subscription and another management group, and two additional sub-
scriptions are within that management group. he raining ept. management group contains
two subscriptions for the training department.

40 CHAPTER 2 escribe Azure architecture and services

 Sales Dept. IT Dept. Training Dept.

West Division East Division IT Dev Management IDs Trainers

Subscription Subscription Subscription Group Subscription Subscription

Network Applications
Subscription Subscription

FIGURE 2-8 Management groups organizing subscriptions and other management groups

By organizing the subscriptions using management groups, you can have more precise con-
trol over who has access to which resources. ou can also control the configuration of resources
created within those subscriptions.
After you create a management group, you can move any of your subscriptions into that
management group. ou can also move a management group into another management
group. here are, however, a few limitations
■ ou re limited to a total of 10,000 management groups.
■ A management group hierarchy can only support up to six levels.
■ ou cannot have multiple parents for a single management group or subscription.

ill 2.1 escribe the core architectural components of Azure CHAPTER 2 41

 ierarchy of resource groups, subscriptions, and
management groups
ou should have a general sense of the hierarchy of resource groups, subscriptions, and man-
agement groups, but it s important for you to fully grasp how they are all related to each other.
At the top of the hierarchy is the management group. As you saw in the last section, you
can create multiple management groups, but even if you never create one, you still have one
by default called the enant Root roup. his default management group is part of your Azure
Active irectory tenant.

MORE INFO AZURE ACTIVE DIRECTORY

You’ll learn about Azure Active Directory in Skill . , “Describe Azure identity, access,
and security.

our Azure subscription is inside a management group. t can be a management group that
you explicitly created or the enant Root roup management group.
Azure resources that you create must be inside of a resource group, and that resource
group gets created inside of your Azure subscription. ou can t create an Azure resource
without first specifying which resource group you want it to be created in. nli e management
groups, there isn t a default resource group. ou must explicitly create each resource group in
your subscription.
nderstanding this hierarchy becomes important when we start tal ing about things such
as access control, policies, and so on. e will refer to this hierarchy at that point, but feel free to
revisit this section if you need a refresher.

Skill 2.2: Describe Azure compute and

networking services
e ve tal ed about the fact that Azure offers many different services to fit many different
needs. n this section, we ll cover some of those services in detail. e ll also tal about some of
the choices you have when using Azure services.

This section covers:

■ Compute types
■ ptions for Azure virtual machines
■ Resources re uired for virtual machines
■ Application hosting options
■ irtual networ ing

42 CHAPTER 2 escribe Azure architecture and services

Index

A Azure regions, 29–31

Azure resources, 34–36
AAAA record, DNS (Domain Name System), 70
Azure subscriptions, 37–40
access and assignments, Azure AD, 107
hierarchies, 42
ACI (Azure Container Instances), 43–44, 124
management groups, 40–41
AD DS (Active Directory Domain Services), 96–97.
regional pairs, 29–31
See also DNS (Domain Name System)
resource groups, 34–36
ADLS (Azure Data Lake Store), 92
sovereign regions, 29–31
Advisor, 183–185
Archive storage, 82
AKS (Azure Kubernetes Service)
ARM (Azure Resource Manager), 113, 179–182, 204
and Azure Arc, 178–179
ARM template deployment, 36
container instances, 43–45
artifacts, adding to blueprints, 142–148, 145
described, 124
authentication and authorization, 94, 97–101, 125
overview, 63–64
Automation Script, clicking, 36
App Service plans, 60
Autoscale tool, 14
app services, containers in, 63–64
availability sets vs. vs availability zones, 31–33,
app usage, cost effectiveness, 120, 122
84, 124
application design, cloud services, 9
AVD (Azure Virtual Desktop), 56–57, 124
application failure, cloud services, 9
AzCopy utility, 87, 88, 125
Application Insights, 14
Azure, migrating to, 90–93
application performance, monitoring, 201, 203
Azure AD (Azure Active Directory)
applications. See also web applications
adding users, 103
hosting options, 59–65
cloud platforms, 105
monitoring in cloud, 14
Conditional Access, 107
PaaS (Platform-as-a-Service), 17–18
described, 125
architectural components
external identities, 102–106
availability zones, 31–33
features, 94–95
Azure datacenters, 33

205
Azure AD (Azure Active Directory)

Azure AD (Azure Active Directory) (continued) charts, 190–191

gallery apps, 106 conditions, 192–193, 195
guest access, 102–106 described, 204
Azure AD Connect, 97 KQL and Log Analytics, 198–199
Azure Advisor, 183–185, 204 metrics, 187, 189–190
Azure App Service, 59–63, 124. See also web notification, 195
applications query results, 199
Azure Arc service, 178–179, 204 selecting resources, 188
Azure Blob storage, 125 Azure Policy, 149–155, 203
Azure Blueprints, 142–148, 203 Azure portal
Azure China, 31 blades, 165
Azure CLI (command-line interface), 170–172, 204 configuring, 160
Azure Cloud Shell, 173–177, 204 Connect button, 164
Azure Cost Management and Billing, 136–139, 203. customizing, 165–166
See also costs
dashboard, 165–168
Azure Data Box, 125
default view, 159–160
Azure datacenters, 33, 124
Delete button, 166
Azure Disks, 125
described, 204
Azure DNS, VNets (virtual networks), 70–75, 125
Edit button, 166
Azure ExpressRoute, 78–79, 125
Filter button, 160
Azure File Sync, installing, 89
Home screen, 159–160
Azure Files, 88, 89, 125
IaaS VM in, 15–16
Azure Firewall Manager, 118
logging out, 161
Azure For Students subscription, 39
menu button, 159, 162
Azure Functions service, 46
navigating resources, 160
Azure Germany, 30
Overview blade, 164–165
Azure Government cloud, 30
reordering menu items, 162
Azure Hybrid Benefit, 203
Restart button, 164
Azure invoices, seeing, 38
search bar, 160
Azure Load Balancer, 59, 67
Settings button, 161
Azure Migrate, 125
Start button, 164
Azure Monitor
switching accounts, 161
accessing, 187
Tile Gallery, 166
action groups, 195–196
touring, 159
alerts, 192–195
viewing virtual machines, 163
Application Insights, 196–197

206
 cloud computing

Azure PowerShell, 168–170, 204 health monitoring, 52

Azure regions, 29–31 planned maintenance, 52
Azure Reservations, 203 reliability, 52
Azure resources, 34–36. See also resources scale sets, 54–55
Azure Service Health, 185–186, 204 SLA guarantee, 55
Azure services, showing status of, 32 update domains, 53
Azure Spot VMs, 203 viewing, 51
Azure Spring Cloud, 64, 124. See also cloud Azure virtual networks, 58
services Azure VPN Gateway, 75–78, 125. See also gateway
Azure SQL Database, estimating costs for, 131 subnet
Azure Status page, checking, 32
Azure Status web page, 185
Azure Storage Explorer, 125 B
Azure Storage services. See also storage accounts billing. See Azure Cost Management and Billing
Azure Blob storage, 80 Blob Storage
Azure Disks, 80–81 in Azure Storage Explorer, 88–89
Azure Files, 81 downloading files from, 87
Azure Queues, 81–82 rehydration, 82
moving files to and from, 87–89 using, 80
using, 121, 123 Blob Storage tiers, 82
Azure subscriptions Block Blobs, 86
and Azure virtual machines, 47-49 BlueCloud, 31
described, 124 blueprints, 142–148, 203
getting, 37–40 boundaries and geographies, 29
hierarchy of, 42 budgets, creating, 38, 137–139
Azure virtual machines. See also VMs (virtual
machines)
availability set, 53–54 C
AVD (Azure Virtual Desktop), 56–57
calculators, 130–136
and billing, 52
charts, Azure Monitor, 190–191
creating, 47–49
China cloud, 31
custom images, 55
CLI (command-line interface), 170–172, 204
deploying, 49–51
cloud computing
desktop virtualization model, 55–56
describing, 1–2
downtime, 52
shared responsibility model, 2–3
fault domains, 52–54

207
cloud environment

cloud environment system outage, 9

governance features, 13–14 types, 14–15
manageability, 14 use cases, 21–22
monitoring applications, 14 Cloud Shell, 173–177, 204
predictability, 12–13 CMG (Contoso Medical Group) example, 22–24, 119
reliability, 12–13 CNAME record, creating, 73–74
security, 13–14 collaboration with resources, 121, 123
cloud models Compliance Manager, 158. See also governance
comparing, 6–7 and compliance
consumption-based, 5 compute resources, microservices, 45
hybrid, 5–7 compute types
private, 4 container instances, 43–45
private cloud, 5 functions, 46
public, 3–4 VMs (virtual machines), 46
public cloud, 5 Conditional Access, Azure AD (Azure Active
Directory), 107
cloud platforms, Azure AD (Azure Active
Directory), 105 consumption-based model, 5
cloud providers container instances, 43–45
disaster recovery, 13 Cool storage, 82
SLA (service-level agreement), 8 Copy command, using with Azure Files, 88
cloud pyramid, 21 cost analysis, viewing, 38
cloud services. See also Azure Spring Cloud costs. See also Azure Cost Management and Billing
access to, 3 for Azure SQL Database, 131
application design, 9 controlling with IaaS services, 17
application failure, 9 factors, 128–129
deciding on, 22 reducing, 129
deploying with Azure Blueprints, 142–148 Costs By Resource tile, 38
high availability, 8–12 CSP (cloud solution partners), 203
IaaS (Infrastructure-as-a-Service), 15–17
network outage, 8
PaaS (Platform-as-a-Service), 17–20
D
power outage, 10 data
reliant systems, 149–145 importance of, 27
reluctance toward, 27 replicating, 33
SaaS (Software-as-a-Service), 20–21 Data Box, 92–93, 125
scalability, 10–12 data disks, creating for VMs, 81

208
 Exam Tips

datacenters, 33, 124 ARM (Azure Resource Manager), 179

DCs (domain controllers), 96 availability zones, 31
Defender for Cloud, 115–119 availability zones vs. availability sets, 32
defense in depth, 113–114 Azure Arc, 178
deleting Azure Blueprints, 142, 144
resource groups, 36 Azure CLI (command-line interface), 171
resource locks, 157–158 Azure Files, 81
deletion of resources, preventing, 200, 202 Azure resources, 36
directory services. See Azure AD (Azure Active Azure subscriptions, 37
Directory) Blob in Archive tier, 82
disaster recovery, 13, 25 Cloud Shell, 175
disasters and failures, safeguarding against, 33 Conditional Access, 107
disks, creating snapshots of, 80 cost control, 129
DNS (Domain Name System), 70. See also AD DS Data Box Disk, 92
(Active Directory Domain Services)
DNS Name Label, 45
DNS management and VNets (virtual networks),
ExpressRoute circuits, 79
121, 123
fault tolerance vs. scaling, 12
DNS Name Label, setting, 45
geographies, 29
DNS zones
GRS and GZRS, 85
CNAME record, 74
invoices and resource tags, 141
A record in, 73
message time-to-live, 82
types of, 70–71
peer VNets, 67
Docker images, 43
PowerShell, 168
Docker technology, PaaS, 19
pricing pages, 128
DoD Impact Level 5 Provisional Authorization, 30
public and private endpoints, 70–71
downtime, Azure virtual machines, 52
RBAC (role-based access control), 109, 112
downtime, avoiding, 24
resource groups, 36
resource locks, 155, 157

E scalability, 12
service principals, 106
edge network devices, 78
snapshots of disks, 80
elasticity, 11–12, 17, 19, 24, 25
storage accounts and types, 86
estimates, saving in pricing calculator, 132
subscriptions, 40
Exam Tips
virtual networking gateway, 75
AD DS (Active Directory Domain Services), 96
VMs (virtual machines), 59
App Service plans, 61
VPN Gateway, 75, 77

209
expenses

expenses governance and compliance. See also

calculating estimates for, 130
categorizing, 200, 202
forecasting, 200–202
minimizing for workloads, 120, 122
tracking with tags, 140–141
ExpressRoute configuration, 78–79
external identities, 102–106
F guest access, 102–106
Compliance Manager
Azure Blueprints, 142–148
Azure Policy, 149–155
resource locks, 155–158
Service Trust Portal, 158
governance features, 25
government concerns, addressing, 30
GRS (geo-redundant storage), 85, 125
GZRS (geo-zone-redundant storage), 85, 123, 125

Facebook, 27 guests, using with VMs, 45

fault tolerance GZRS (geo-zone-redundant storage), 85

in Azure, 13
vs. scaling, 12
using, 25, 120, 122
H
file shares, 86 hardware infrastructure, IaaS, 17

files. See Azure Files HDD disk, 80

Firewall Manager, 118 health of resources, reporting on, 201

Free Trial subscription, 39 host pools, AVD (Azure Virtual Desktop), 56

fuel cells, development of, 33 Hot storage, 82

Functions service, 46, 124 hybrid cloud, 5–7, 24

G I
gateway subnet, creating, 75–76. See also Azure IaaS (Infrastructure-as-a-Service), 15–17, 20, 23, 25
VPN Gateway IKE (internet key exchange) protocol, 75
GbE (gigabit Ethernet), 93 internet connectivity, 66
geographies, 29, 33, 124 invoices
Germany sovereign cloud, 31 and resource tags, 141
gigibyte vs. gigabyte, 81 seeing, 38
Google, 27 IP addresses, pool of, 66
governance, applying to resources, 200, 202 IPSec (internet protocol security), 75

210
 pricing pages

K KQL and Log Analytics, 198–199

metrics, 187, 189, 190
KQL and Log Analytics, Azure Monitor, 198–199
notification, 195
Kubernetes. See AKS (Azure Kubernetes Service)
query results, 199
Kusto Query Language (KQL), 198–199
selecting resources, 188
multiple-region redundancy, 85. See also
regional pairs
L multitenant environment, 4, 24
lift-and-shift, 19
locking resources, 155–158
Log Analytics and KQL, Azure Monitor, 198–199 N
LRS (locally redundant storage), 84, 125 network bandwidth, pricing of, 129
network outage, 8
network security groups, 58
M NTLM (New Technology LAN Manager), 96
management groups, 40–41, 42, 124
message time-to-live, 82
Meta, 27 O
meters and resources, 128 online references, accessing, xviii
MFA (multifactor authentication), 125 Overview blade, 38
microservices, compute resources, 45
Microsoft certifications, accessing list of, xviii
Microsoft Defender for Cloud, 115–119 P
middleware, 17
PaaS (Platform-as-a-Service), 17–23, 25, 66
migrating to Azure, 90–93
Page Blobs, 86
money. See costs
passwordless wizard, 102, 126
Monitor
Pay-As-You-Go subscription, 39
accessing, 187
performance, monitoring, 201, 203
action groups, 195–196
policy effects, 154. See also Azure Policy
alerts, 192–195
power outage, cloud services, 10
Application Insights, 196–197
PowerShell, 168–170, 204
charts, 190–191
pricing calculator, accessing, 130
conditions, 192–193, 195
pricing estimate, reviewing, 132
described, 204
pricing pages, 128

211
primary-region redundancy
primary-region redundancy, 84. See also
regional pairs
private cloud
described, 4, 24
disadvantages, 5
private DNS zone, 70–71, 74
public cloud
and Azure Government cloud, 30
described, 3–4, 24
disadvantages, 5
public DNS zone, 70–71
Q service principals, 106
Quickstart image, using with ACI instance, 44
R single-tenant environment, 4
RADIUS (Remote Authentication Dial-In
User Service), 78
RA-GRS (read access geo-redundant storage), 85
RBAC (role-based access control), 108–113
read-only locks, 156
redundancy options, 83–85
regional pairs, 29–31. See also multiple-region
redundancy; primary-region redundancy
reliant systems, cloud services, 10
resource costs, displaying, 36
resource groups
described, 124
VMs (virtual machines), 57–58
using, 34–36, 42
resource locks, 155–158, 204
212
resources. See also Azure resources
applying governance to, 200, 202
deployment of, 201–202
and meters, 128
preventing deletion of, 200, 202
rules. See Azure Policy
S
SaaS (Software-as-a-Service), 20–22, 25
scalability, 10–12, 24
scale sets, Azure virtual machines, 54
Service Health, accessing, 185–186, 204
Service Trust Portal, 158, 204
session hosts, AVD (Azure Virtual Desktop), 56
shared responsibility model, 2–3, 24
SKUs, Azure AD DS, 97
sovereign regions, 29–31
SSD (solid-state drives), 80
SSO (single sign-on), 125
static web apps, 61. See also web applications
storage accounts. See also Azure Storage services
redundancy options, 83
and types, 86
Storage Explorer, 88
storage tiers, Blob Storage, 82
subscriptions
and Azure virtual machines, 47-49
described, 124
getting, 37–40
hierarchy of, 42
system outage, cloud services, 9
 ZRS (zone-redundant storage)

T system outages, 9
viewing in Azure portal, 163
tags, using to track expenses, 140–141, 203
VMSS (virtual machine scale sets), 124
TCO (Total Cost of Ownership) calculator,
VNets (virtual networks)
132–136, 203
Azure DNS, 70–75
tenants, AVD (Azure Virtual Desktop), 56
described, 124
T-Systems International, 30
and DNS management, 121, 123
Twitter account, xix
linking to private DNS zones, 74
overview, 65–66

U peering, 67–69, 125

VNet-to-VNet connection, 76–77
Ubuntu Server, 15–16
VPN (virtual private network), 75–78
United States Department of Defense, 30
VPN devices, 77
VPN Gateway

V creating, 76
site-to-site connection, 77–78
View Details button, 38
virtual hubs, 117
virtual networking gateway, 75
W
Visual Studio and ARM, 180
web applications. See also applications; Azure App
VMs (virtual machines). See also Azure virtual
Service; static web apps
machines
creating, 62
App Services, 61
management, 120, 123
for application hosting, 65
PaaS, 17–18
as availability zones, 32
Windows 10 Multi-User, 57
compute types, 46
data disks, 58, 81
fault tolerance, 120, 122
Z
governing, 119, 122
Zero-trust, 113–114
and IaaS (Infrastructure-as-a-Service), 15
zonal services, 32
keeping available, 119
zone-redundant services, 32–33
metrics in Azure Monitor, 189
ZRS (zone-redundant storage), 33, 84, 123, 125
resource requirements, 57–59
scalability, 10–11

213