Exam Ref Az-900 Microsoft Azure Fundamentals 3rd Edition
Exam Ref Az-900 Microsoft Azure Fundamentals 3rd Edition
Microsoft Azure
Fundamentals
Third Edition
Jim Cheshire
Exam Ref AZ-900 Microsoft Azure EDITOR-IN-CHIEF
Brett Bartow
Fundamentals, Third Edition
EXECUTIVE EDITOR
Published with the authorization of Microsoft Corporation by:
Loretta Yates
Pearson Education, Inc.
SPONSORING EDITOR
COPYRIGHT © 2023 BY PEARSON EDUCATION, INC. Charvi Arora
All rights reserved. This publication is protected by copyright, and permission must
DEVELOPMENT EDITOR
be obtained from the publisher prior to any prohibited reproduction, storage in a
retrieval system, or transmission in any form or by any means, electronic, mechani- Rick Kughen
cal, photocopying, recording, or likewise. For information regarding permissions, MANAGING EDITOR
request forms, and the appropriate contacts within the Pearson Education Global Sandra Schroeder
Rights & Permissions Department, please visit www.pearson.com/permissions.
SENIOR PROJECT EDITOR
No patent liability is assumed with respect to the use of the information contained
Tracey Croom
herein. Although every precaution has been taken in the preparation of this book,
the publisher and author assume no responsibility for errors or omissions. Nor COPY EDITOR
is any liability assumed for damages resulting from the use of the information Rick Kughen
contained herein.
INDEXER
ISBN-13: 978-0-13-795514-5 Valerie Haynes Perry
ISBN-10: 0-13-795514-6
PROOFREADER
ibrary of ongress ontrol umber n file
Dan Foster
ScoutAutomatedPrintCode
TECHNICAL EDITOR
TRADEMARKS Tim Warner
Microsoft and the trademarks listed at http://www.microsoft.com on the “Trade-
EDITORIAL ASSISTANT
marks” webpage are trademarks of the Microsoft group of companies. All other
marks are property of their respective owners. Cindy Teeters
COVER DESIGNER
WARNING AND DISCLAIMER
Twist Creative, Seattle
Every effort has been made to make this book as complete and as accurate as pos-
sible, but no warranty or fitness is implied. he information provided is on an as COMPOSITOR
is basis. he author, the publisher, and Microsoft orporation shall have neither Danielle Foster
liability nor responsibility to any person or entity with respect to any loss or dam-
ages arising from the information contained in this book or from the use of the
programs accompanying it.
SPECIAL SALES
For information about buying this title in bulk quantities, or for special sales op-
portunities (which may include electronic versions; custom cover designs; and
content particular to your business, training goals, marketing focus, or branding
interests), please contact our corporate sales department at corpsales@pearsoned.
com or (800) 382-3419.
For government sales inquiries, please contact [email protected].
For questions about sales outside the U.S., please contact [email protected].
Pearson’s Commitment to Diversity, Equity,
and Inclusion
P earson is dedicated to creating bias free content that re ects the diversity of all learners. e
embrace the many dimensions of diversity, including but not limited to race, ethnicity, gen-
der, socioeconomic status, ability, age, sexual orientation, and religious or political beliefs.
Education is a powerful force for equity and change in our world. It has the potential to de-
liver opportunities that improve lives and enable economic mobility. As we work with authors to
create content for every product and service, we acknowledge our responsibility to demonstrate
inclusivity and incorporate diverse scholarship so that everyone can achieve their potential
through learning. As the world’s leading learning company, we have a duty to help drive change
and live up to our purpose to help more people create a better life for themselves and to create
a better world.
Our ambition is to purposefully contribute to a world where:
■ Everyone has an equitable and lifelong opportunity to succeed through learning.
■ Our educational products and services are inclusive and represent the rich diversity
of learners.
■ ur educational content accurately re ects the histories and experiences of the learners
we serve.
■ Our educational content prompts deeper discussions with learners and motivates them
to expand their own learning (and worldview).
While we work hard to present unbiased content, we want to hear from you about any
concerns or needs with this Pearson product so that we can investigate and address them.
Please contact us with concerns about any potential bias at
https://www.pearson.com/report-bias.html.
Contents at a glance
Introduction xvii
Index 205
Contents
Introduction xvii
Organization of this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Cloud computing 2
Cloud models 3
vii
Skill 1.3: Describe cloud service types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Infrastructure-as-a-Service (IaaS) 15
Platform-as-a-Service (PaaS) 17
Software-as-a-Service (SaaS) 20
Thought experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Availability zones 31
Azure datacenters 33
Azure subscriptions 37
Management groups 40
Compute types 43
Virtual networking 65
Storage tiers 82
viii CONTENTS
Redundancy options 83
Migrating to Azure 90
CONTENTS ix
Storage migration, security, and governance 123
Tags 140
x CONTENTS
Skill 3.4: Describe monitoring tools in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Index 205
CONTENTS xi
Acknowledgments
I’d like to express my deep gratitude to the following people, without whom this book would
not have been possible.
Thank you to Loretta Yates for bringing me into this project. After two decades of working
together on numerous pro ects, you still seem to find a way to bring freshness and excitement
to each one. Thank you, Rick Kughen, for painstakingly editing every corner of this book to
make it a better reading experience. Thanks to Tim for all the times you made me take a sec-
ond look at my approach and for adding real value with your ideas. Thanks to Charvi Arora for
taking care of all the details that keep everything on track. Finally, thank you to all the people
at Microsoft Press who worked so hard to create this book from the digital manuscript.
xiii
About the author
Jim Cheshire is a technology enthusiast with more than 25 years of experience in various roles
within IT. Jim has authored more than 15 books on technology, and he’s held numerous train-
ing sessions on Microsoft Azure, both in private enterprises and through Safari’s Live Training
program. You can follow Jim and interact with him on LinkedIn at https://www.linkedin.com/
in/jimcheshire. Jim is in his 24th year at Microsoft, and he’s currently focused on the technical
skilling strategy for Microsoft’s developer offerings, Microsoft Azure, and Microsoft Windows.
xv
Introduction
Both businesses and individuals are adopting cloud technologies at a breakneck pace, and
Microsoft Azure is often the choice for cloud-based applications and services. The purpose
of the AZ-900 exam is to test your understanding of the fundamentals of Azure. The exam
includes high level concepts that apply across all of Azure to important concepts specific to
particular services of Azure. Like the exam, this book is geared toward giving you a broad
understanding of Azure itself as well as many common services and components in Azure.
While we’ve made every effort possible to make the information in this book accurate,
Azure is rapidly evolving. There’s a chance that some of the screens in the Azure portal are
slightly different now than when this book was written. It’s also possible that other minor
changes have taken place, such as minor name changes in features and so on.
n this edition of the boo , we ve meticulously reviewed the content in the first two edi-
tions and updated everything to re ect the current state of Azure. e ve also reorganized
the boo and added new content to re ect the current state of the A 900 exam. Microsoft
has recently added new concepts, services, and Azure features to the AZ-900 exam, and we’ve
added those to this edition. We’ve also corrected a few things and made quite a few changes
based on reader feedbac from the first two editions.
This book covers every major topic area found on the exam, but it does not cover every
exam question. Only the Microsoft exam team has access to the exam questions, and Microsoft
regularly adds new uestions to the exam, ma ing it impossible to cover specific uestions.
You should consider this book a supplement to your relevant real-world experience and other
study materials. In many cases, we’ve provided links in the “More Info” sections of the book,
and these links are a great source for additional study.
xvii
Preparing for the exam
Microsoft certification exams are a great way to build your resume and let the world now
about your level of expertise. ertification exams validate your on the ob experience and
product knowledge. Although there is no substitute for on-the-job experience, preparation
through study and hands-on practice can help you prepare for the exam. We recommend that
you augment your exam preparation plan by using a combination of available study materials
and courses. For example, you might use the Exam Ref and another study guide for your ”at-
home preparation and ta e a Microsoft fficial urriculum course for the classroom experi-
ence. Choose the combination that you think works best for you.
Note that this Exam Ref is based on publicly available information about the exam and the
author’s experience. To safeguard the integrity of the exam, authors do not have access to the
live exam.
icroso t certifications
Microsoft certifications distinguish you by proving your command of a broad set of s ills and
experience with current Microsoft products and technologies. The exams and corresponding
certifications are developed to validate your mastery of critical competencies as you design
and develop or implement and support solutions with Microsoft products and technologies
both on premises and in the cloud. ertification brings a variety of benefits to the individual
and to employers and organizations.
xviii INTRODUCTION
Errata, updates & book support
We’ve made every effort to ensure the accuracy of this book and its companion content. You
can access updates to this book—in the form of a list of submitted errata and their related
corrections—at:
MicrosoftPressStore.com/ExamRefAZ9003e/errata
If you discover an error that is not already listed, please submit it to us at the same page.
For additional book support and information, please visit MicrosoftPressStore.com/Support.
Please note that product support for Microsoft software and hardware is not offered
through the previous addresses. For help with Microsoft software or hardware, go to
http://support.microsoft.com.
Stay in touch
Let’s keep the conversation going! We’re on Twitter: http://twitter.com/MicrosoftPress.
INTRODUCTION xix
CHAPTER 2
27
Skills covered in this chapter:
■ escribe the core architectural components of Azure
■ escribe Azure compute and networ ing services
■ escribe Azure torage services
■ escribe Azure identity, access, and security
EXAM TIP
The fact that each geography contains at least two regions separated by a large physical dis-
tance is important. That’s how Azure maintains disaster recovery, and it’s likely this concept
will be included on the exam.
Microsoft provides tools to control the use of Azure resources to meet corporate policies,
but some compliance re uirements can t be met by simply applying policies. or example,
some government compliance scenarios re uire that data stays within the nited tates of
Availability zones
he fact that regions are physically separated by hundreds of miles protects Azure users from
data loss and application outages caused by disasters in a particular region. However, it s also
important that data and applications maintain availability when a problem occurs at a particu-
lar building within a region. or that reason, Microsoft developed availability zones.
Availability zones aren’t available in all Azure regions, nor are they available for all Azure
services in regions that support them. For the most up-to-date list of availability zone-
enabled regions and services, see https://bit.ly/az900-azones.
here are at least three availability zones within each enabled region, and each availabil-
ity zone has a water supply, cooling system, networ , and power supply that is isolated from
other zones. By deploying an Azure service in two or more availability zones, you can achieve
high availability in a situation where there is a problem in one zone.
EXAM TIP
Availability zones provide high availability and fault tolerance, but they might not help
you with disaster recovery. If there is a localized disaster, such as a fire in a datacenter that
houses one zone, you will benefit from availability zones. Because availability zones are in
the same Azure region, if there is a large-scale natural disaster such as a tornado, you might
not be protected. In other words, availability zones are ust one facet to an overall disaster
recovery and fault-tolerant design.
Because availability zones are designed to offer enhanced availability for infrastructure,
not all services support availability zones. or example, Azure has a service called App er-
vice ertificates that allows you to purchase and manage an certificate through Azure. t
wouldn t ma e any sense to host a certificate in App ervice ertificates within an availability
zone because it s not an infrastructure component.
Microsoft operates a website that shows the status of all Azure services. If you notice a prob-
lem with your resources, you can check the Azure Status page at https://status.azure.com.
EXAM TIP
Don’t confuse availability zones with availability sets. Availability sets allow you to create
two or more virtual machines in different physical server racks in an Azure datacenter.
Microsoft guarantees a 99.95 percent SLA with an availability set.
An availability zone allows you to deploy to two or more distinct datacenters physical
buildings within a region. Microsoft guarantees a 99.99 percent SLA with availability zones.
here are two categories of services that support availability zones zonal services and zone-
redundant services. onal services are services such as virtual machines, managed dis s used in
a virtual machine, and public addresses used in virtual machines. o achieve high availability,
you must explicitly deploy zonal services into two or more zones.
When you create a virtual machine in Azure and you deploy it to an availability zone, Azure
will automatically deploy the managed disk s and public IP address if one is configured to
the same availability zone.
Azure datacenters
At each region, Microsoft has built datacenters physical buildings that contain the physical
hardware that Azure uses. hese datacenters contain climate controlled buildings that house
the server rac s containing physical computer hardware. Each region also operates on its own
networ infrastructure, and Microsoft has designed the networ s for low latency. herefore,
any Azure services you have in a particular region will have reliable and fast networ connec-
tivity with each other.
Each datacenter has an isolated power supply and power generators in case of a power
outage. All the networ traffic entering and exiting the datacenter goes over Microsoft s own
fiber optic networ on fiber owned or leased by Microsoft. Even data that ows between re-
gions across oceans travels over Microsoft s fiber optic cables that traverse the oceans.
o ensure that data in Azure is safe from disasters and failures caused by possible problems
in a particular region, customers are encouraged to replicate data in multiple regions. or
example, if the outh entral region is hit by a devastating tornado not out of the ues-
tion in exas , data that is also replicated to the orth entral region in llinois is still safe
and available. o ensure that applications are still performing as uic ly as possible, Microsoft
guarantees round trip networ performance of 2 milliseconds or less between regions.
Another advantage to resource groups is that you can name a resource group with an easily
recognizable name so that you can see all Azure resources used in a particular application at a
glance. his might not seem so important until you start deploying Azure resources and realize
that you have many more resources than you first thought. f you re loo ing at all your Azure
resources, it can be hard to differentiate which resources go with which app. Resource groups
solve that problem.
n igure 2 2, you can see a lot of Azure services. ome of these were automatically created
by Azure to support other services, and in many cases, Azure gives the resource an unrecog-
nizable name.
n igure 2 3, you can see resources that are in the WebStorefront resource group. hese are
the Azure resources used in the e commerce storefront.
EXAM TIP
An Azure resource can only exist in one resource group. In other words, you can’t have a
virtual machine in a resource group called WebStorefront and in a resource group called
SalesMarketing, because it must be in one group or the other. You can move Azure re-
sources from one resource group to another.
ou can also clic Automation Script, and Azure will generate an ARM template that you
can use to deploy all these Azure resources. his is useful in a situation where you want to de-
ploy these resources later or when you want to deploy them to another Azure subscription.
hen you delete a resource group, all the resources in that resource group are automati-
cally deleted. his ma es it easy to delete multiple Azure resources in one easy step. uppose
you are testing a scenario and you need to create a couple of virtual machines, a database, a
web app, and more. By placing all these resources in one resource group, you can easily delete
that resource group after your testing and Azure will automatically delete all the resources in
it for you. his is a great way to avoid unexpected costs associated with resources you are no
longer using.
EXAM TIP
Microsoft support can increase limits in some scenarios if you have a good business ustifi-
cation. Some limits, however, cannot be increased.
Azure invoices are also available for the subscription from within the Azure portal. ou can
see your current Azure invoice as well as all past invoices by clic ing nvoices in the menu for
the subscription.
o create a new subscription, clic Add in the Subscriptions blade, as shown in igure 2 7.
Add button
After you clic Add, you need to choose which type of subscription you want to create.
here are several types of Azure subscriptions
■ Free Trial rovides free access to Azure resources for a limited time. nly one free trial
subscription is available per account, and you cannot create a new free trial if a previous
one has expired.
■ Pay-As-You-Go ou pay only for those resources you use in Azure. here s no up
front cost, and you can cancel the subscription at any time.
■ Azure For Students A special subscription designed for exploring Azure services.
t provides free Azure credits and access to many services free for 12 months.
Depending on the type of Azure account you have, you might have additional subscrip-
tion options.
EXAM TIP
Each subscription is associated with a globally unique identifier called a subscription ID. You
can give each subscription a descriptive name to help you identify it, but Azure will always
use the subscription ID to identify your subscription. When you talk to Microsoft about your
Azure account, they’ll also often ask for your subscription ID.
ou now understand Azure subscriptions and how you can create additional subscriptions
if needed. nce you ve created additional subscriptions and resources in those subscriptions,
you might find that managing all your resources becomes more cumbersome. o help with
that, Microsoft has developed a feature called management groups.
Management groups
Management groups are a convenient way to apply policies and access control to your Azure
resources. Much li e a resource group, a management group is a container for organizing
your resources. However, management groups can contain only Azure subscriptions or other
management groups.
At this point, you aren’t expected to understand concepts such as access control and poli-
cies. Access control is introduced in Skill . , “Describe Azure identity, access, and security,
and policies are discussed in Skill 3. , “Describe features and tools in Azure for governance.
n igure 2 8, three management groups have been created for a company. he ales ept.
management group contains subscriptions for the sales department. he ept. manage-
ment group contains a subscription and another management group, and two additional sub-
scriptions are within that management group. he raining ept. management group contains
two subscriptions for the training department.
Network Applications
Subscription Subscription
FIGURE 2-8 Management groups organizing subscriptions and other management groups
By organizing the subscriptions using management groups, you can have more precise con-
trol over who has access to which resources. ou can also control the configuration of resources
created within those subscriptions.
After you create a management group, you can move any of your subscriptions into that
management group. ou can also move a management group into another management
group. here are, however, a few limitations
■ ou re limited to a total of 10,000 management groups.
■ A management group hierarchy can only support up to six levels.
■ ou cannot have multiple parents for a single management group or subscription.
our Azure subscription is inside a management group. t can be a management group that
you explicitly created or the enant Root roup management group.
Azure resources that you create must be inside of a resource group, and that resource
group gets created inside of your Azure subscription. ou can t create an Azure resource
without first specifying which resource group you want it to be created in. nli e management
groups, there isn t a default resource group. ou must explicitly create each resource group in
your subscription.
nderstanding this hierarchy becomes important when we start tal ing about things such
as access control, policies, and so on. e will refer to this hierarchy at that point, but feel free to
revisit this section if you need a refresher.
205
Azure AD (Azure Active Directory)
206
cloud computing
207
cloud environment
208
Exam Tips
E scalability, 12
service principals, 106
edge network devices, 78
snapshots of disks, 80
elasticity, 11–12, 17, 19, 24, 25
storage accounts and types, 86
estimates, saving in pricing calculator, 132
subscriptions, 40
Exam Tips
virtual networking gateway, 75
AD DS (Active Directory Domain Services), 96
VMs (virtual machines), 59
App Service plans, 61
VPN Gateway, 75, 77
209
expenses
in Azure, 13
vs. scaling, 12
using, 25, 120, 122
H
file shares, 86 hardware infrastructure, IaaS, 17
G I
gateway subnet, creating, 75–76. See also Azure IaaS (Infrastructure-as-a-Service), 15–17, 20, 23, 25
VPN Gateway IKE (internet key exchange) protocol, 75
GbE (gigabit Ethernet), 93 internet connectivity, 66
geographies, 29, 33, 124 invoices
Germany sovereign cloud, 31 and resource tags, 141
gigibyte vs. gigabyte, 81 seeing, 38
Google, 27 IP addresses, pool of, 66
governance, applying to resources, 200, 202 IPSec (internet protocol security), 75
210
pricing pages
211
primary-region redundancy
primary-region redundancy, 84. See also resources. See also Azure resources
regional pairs applying governance to, 200, 202
private cloud deployment of, 201–202
described, 4, 24 and meters, 128
disadvantages, 5 preventing deletion of, 200, 202
private DNS zone, 70–71, 74 rules. See Azure Policy
public cloud
and Azure Government cloud, 30
described, 3–4, 24 S
disadvantages, 5 SaaS (Software-as-a-Service), 20–22, 25
public DNS zone, 70–71 scalability, 10–12, 24
scale sets, Azure virtual machines, 54
Service Health, accessing, 185–186, 204
Q service principals, 106
Quickstart image, using with ACI instance, 44 Service Trust Portal, 158, 204
session hosts, AVD (Azure Virtual Desktop), 56
shared responsibility model, 2–3, 24
R single-tenant environment, 4
RADIUS (Remote Authentication Dial-In SKUs, Azure AD DS, 97
User Service), 78
sovereign regions, 29–31
RA-GRS (read access geo-redundant storage), 85
SSD (solid-state drives), 80
RBAC (role-based access control), 108–113
SSO (single sign-on), 125
read-only locks, 156
static web apps, 61. See also web applications
redundancy options, 83–85
storage accounts. See also Azure Storage services
regional pairs, 29–31. See also multiple-region
redundancy options, 83
redundancy; primary-region redundancy
and types, 86
reliant systems, cloud services, 10
Storage Explorer, 88
resource costs, displaying, 36
storage tiers, Blob Storage, 82
resource groups
subscriptions
described, 124
and Azure virtual machines, 47-49
VMs (virtual machines), 57–58
described, 124
using, 34–36, 42
getting, 37–40
resource locks, 155–158, 204
hierarchy of, 42
system outage, cloud services, 9
212
ZRS (zone-redundant storage)
T system outages, 9
viewing in Azure portal, 163
tags, using to track expenses, 140–141, 203
VMSS (virtual machine scale sets), 124
TCO (Total Cost of Ownership) calculator,
VNets (virtual networks)
132–136, 203
Azure DNS, 70–75
tenants, AVD (Azure Virtual Desktop), 56
described, 124
T-Systems International, 30
and DNS management, 121, 123
Twitter account, xix
linking to private DNS zones, 74
overview, 65–66
V creating, 76
site-to-site connection, 77–78
View Details button, 38
virtual hubs, 117
virtual networking gateway, 75
W
Visual Studio and ARM, 180
web applications. See also applications; Azure App
VMs (virtual machines). See also Azure virtual
Service; static web apps
machines
creating, 62
App Services, 61
management, 120, 123
for application hosting, 65
PaaS, 17–18
as availability zones, 32
Windows 10 Multi-User, 57
compute types, 46
data disks, 58, 81
fault tolerance, 120, 122
Z
governing, 119, 122
Zero-trust, 113–114
and IaaS (Infrastructure-as-a-Service), 15
zonal services, 32
keeping available, 119
zone-redundant services, 32–33
metrics in Azure Monitor, 189
ZRS (zone-redundant storage), 33, 84, 123, 125
resource requirements, 57–59
scalability, 10–11
213