Microsoft Azure Fundamentals

(AZ-900)

Devi Vara Prasad Pirla.

B.C.A;M.C.A;M.Tech(C.S.E);P.G.D.C.A
Cloud Service Models
Software-as-a-Service (SaaS): Software layer
consists the application (application code and set) &
the application data.

 Platform-as-a-Service (PaaS):Platform layer means
all the supporting software and the operating system
required to host the application

Infrastructure-as-a-
Service (IaaS):Infrastructure layer consists hardware
the infrastructure and virtualization required to host the
platform
What is Cloud Computing?
Cloud computing is the delivery of different services
through the Internet. These resources include tools and
applications like data storage, servers, databases,
networking, and software. ...

As long as an electronic device has access to the web,

it has access to the data and the software programs to
run it.
Cloud Computing

Service delivery model over the internet (cloud). This

includes but is not limited to:--

compute power meaning servers such as windows,

linux, hosting environments, etc.
storage like files and/or databases
networking in azure but also outside when connecting
to your company network
analytics services for visualization and telemetry data
Cloud Service Model
Cloud Deployment Models:
 Public cloud: Services are offered over the public internet and
available to anyone who wants to purchase them. Cloud resources, such
as servers and storage, are owned and operated by a third-party cloud
service provider, and delivered over the internet.

 Private cloud: A private cloud consists of computing resources used

exclusively by users from one business or organization. A private cloud
can be physically located at your organization's on-site (on-premises)
datacenter, or it can be hosted by a third-party service provider.

 Hybrid cloud: A hybrid cloud is a computing environment that

combines a public cloud and a private cloud by allowing data and
applications to be shared between them.
Features-Cloud Computing
scalability is
 the ability to scale, so allocate and deallocate resources at any time

elasticity is
 the ability to scale dynamically

agility is
 the ability to react fast (scale quickly)

fault
 tolerance is the ability to maintain system uptime while physical and service
component failures happen

disaster recovery is
 the process and design principle which allows a system to recovers
from natural or human induced disasters

high
 availability is the agreed level of operational uptime for the system. It is a simple
calculation of system uptime versus whole lifetime of the system.
availability = uptime/(uptime + downtime)
Capital Expenditure vs Operational
 consumption-based model

No associated upfront cost

No wasted resources as such no charges are incurred
for unused resources*. Unused in this case is different
per service. For instance, blob storage that stores any
data is considered to be used, as it consumes the
storage space. Virtual Machines that are running
consume CPU, memory and other resources even if
there isn’t any traffic. Hence they are considered to be
used and will incur charges.
Pay for what you need
Stop paying when you don’t
AZURE GLOBAL
INFRASTRUCTURE
Data Center
Physical facility
Hosting for group of networked servers
Own power, cooling & networking infrastructure

Region
Geographical area on the planet
One but usually more datacenters connected with low-latency network (<2
milliseconds)
Location for your services
Some services are available only in certain regions
Some services are global services, as such are not assigned/deployed in specific region
Globally available with **50+ regions **
Special government regions (US DoD Central, US Gov Virginia, etc.)
Special partnered regions (China East, China North)
Availability Zone

Regional feature
Grouping of physically separate facilities
Designed to protect from data center failures
If zone goes down others continue working
Two service categories
Zonal services (Virtual Machines, Disks, etc.)
Zone-redundant services (SQL, Storage, etc.)
Not all regions are supported
Supported region has **three or more zones **
A zone is one or more data centers
Region Pair

Each region is paired with another region making it a

region pair
Region pairs are static and cannot be chosen
Each pair resides within the same geography*
Exception is Brazil South
Physical isolation with at least 300 miles distance
(when possible)
Some services have platform-provided replication
Planned updates across the pairs
Data residency maintained for disaster recovery
Region Pairs

Region Pair A Region Pair B

East US West US
UK West UK South
North Europe (Ireland) West Europe (Netherlands)
East Asia (Hong Kong) Southeast Asia (Singapore)
Geographies

Discrete market
Typically contains two or more regions
Ensures data residency, sovereignty, resiliency,
and compliance requirements are met
Fault tolerant to protect from region wide failures
Broken up into areas
Americas,
Europe,
Asia Pacific,
Middle East and Africa
Each region belongs only to one Geography
Azure Resource

Object used to manage services in Azure

Represents service lifecycle
Saved as JSON definition
Resource Groups
Grouping of resources
Holds logically related resources
Typically organizing by
Type
Lifecycle (app, environment)
Department
Billing,
Location or
combination of those
Resource Manager

Management Layer for all resources and resource

groups
Unified language
Controls access and resources
Additional Information
Each resource must be in one, and only one resource
group
Resource groups have their own location assigned
Resources in the resource groups can reside in a different
locations
Resources can be moved between the resource groups
Resource groups can’t be nested
Organize based on your organization needs but consider
Billing
Security and access management
Application Lifecycle
COMPUTE
Virtual Machines (IaaS) - Custom software, custom
requirements, very specialized, high degree of control
VM Scale Sets (IaaS) - Auto-scaled workloads for VMs
Container Instances (PaaS) - Simple container hosting, easy to
start
Kubernetes Service (PaaS) - Highly scalable and customizable
* container hosting platform
App Services (PaaS) - Web applications, a lot of enterprise web
* hosting features, easy to start
Functions (PaaS) (Function as a Service) (Serverless) -
micro/nano-services, excellent consumption-based pricing,
easy to start
COMPUTE MODELS-
COMPARISION
Networking
Azure Virtual Network

Logically isolated networking components

Segmented into one or more subnets
Subnets are discrete sections
Enable communication of resources with each-other,
internet and on-premises
Scoped to a single region
VNet peering allow cross region communication
Isolation, Segmentation, Communication, Filtering,
Routing
Azure Load Balancer

Even traffic distribution

Supports both inbound and outbound scenarios
High-availability scenarios
Both TCP (transmission control protocol) and
UDP (user datagram protocol) applications
Internal and External traffic
Port Forwarding
High scale with up to millions of flows
VPN Gateway
VPN GATEWAY: Specific type of virtual network
gateway for on-premises to azure traffic over the
public internet
Application Gateway:

Web traffic load balancer

Web application firewall
Redirection
Session affinity
URL Routing
SSL termination
Content Delivery Network

Define content
Minimize latency
POP (points of presence) with many locations
STORAGE
Group of services which include

blob storage,
queue storage,
table storage, and
file storage

Used to store
files,
messages, and
semi-structured data
Highly scalable (up to petabytes of data)
Highly durable (99.999999999% - 11 nines, up to 16 nines)
Cheapest per GB storage
Blob Storage

BLOB – binary large object – file

Designed for storage of files of any kind
Three storage tiers
Hot – frequently accessed data
Cool – infrequently accessed data (lower availability,
high durability)
Archive – rarely (if-ever) accessed data
QUEUE & TABLE
Queue Storage
Storage for small pieces of data (messages)
Designed for scalable asynchronous processing

Table Storage
Storage for semi-structured data (NoSQL)
No need for foreign joins, foreign keys, relationships or
strict schema
Designed for fast access
Many programming interfaces and SDKs
FILE & DISK Storage
File Storage
Storage for files accessed via shared drive protocols
Designed to extend on-premise file shares or implement lift-and-shift
scenarios

Disk Storage
Disk emulation in the cloud
Persistent storage for Virtual Machines
Different
sizes,
types (SSD, HDD)
performance tiers
Disk can be unmanaged or managed
DATABASE SERVICE
Cosmos DB
Globally distributed NoSQL (semi-structured data)
Database service
Schema-less
Multiple APIs (SQL, MongoDB, Cassandra, Gremlin,
Table Storage)
Designed for
Highly responsive (real time) applications with super
low latency responses <10ms
Multi-regional applications
Azure SQL-Database
SQL Database
Relational database service in the cloud (PaaS)
(DBaaS - Database as a Service)
Structured data service defined using schema and
relationships
Rich Query Capabilities (SQL)
High-performance, reliable, fully managed and
secure database for building - applications
Azure SQL product family

Azure SQL Database – Reliable relational database based

on SQL Server
Azure Database for MySQL – Azure SQL version for
MySQL database engine
Azure Database for PostgreSQL – Azure SQL version for
PostgreSQL database engine
Azure SQL Managed Instance – Fully fledged SQL
Server managed by cloud provider
Azure SQL on VM – Fully fledged SQL Server on IaaS
Azure SQL DW (Synapse) – Massively Parallel
Processing (MPP) version of SQL Server
IDENTITY SERVICES
Identity
A user with a username and password.
Also applications or other servers with secret keys or certificates.
The fact of being something or someone.
Authentication
The process of verification/assertion of identity
Authorization
The process of ensuring that only authenticated identities get access
to the resources for which they have been granted access.
Access Management
The process of controlling, verifying, tracking and managing
access to authorized users and applications.
Azure Active Directory

Identity and Access Management service in Azure

Identities management – users, groups, applications
Access management – subscriptions, resource groups,
roles, role assignments, authentication & authorization
settings, etc.
Used by multiple Microsoft cloud platforms
Azure
Microsoft 365
Office 365
Live.com services (Skype, OneDrive, etc.)
Multi-factor Authentication (MFA)

Process of authentication using more than one factor

(evidence) to prove identity
Factor types
Knowledge Factor – “Something you know”, ex. password,
pin
Possession Factor – “Something you have”, ex. phone,
token, card, key
Physical Characteristic Factor – “Something you are”, ex.
fingerprint, voice, face, eye iris
Location Factor – “Somewhere you are”, ex. GPS location
Supported by Azure AD by default (simple on-off switch)
Role-based Access Control (RBAC)

What is a Role?
Role (role definition) is a collection of actions that the assigned identity will
be able to perform.
Role definition is an answer to a question “What can be done?”
What is a Security Principal?
Security Principal is an Azure object (identity) that
can be assigned to a role (ex. users, groups or applications).
Security Principal assignment is an answer to a question “Who can do it?”
What is a Scope?
Scope is one or more Azure resources that the access applies to.
Scope assignment is an answer to a question “Where can it be done?”
What is a Role Assignment?
Role assignment is a combination of the role definition, security
principal and scope.
RBAC
Authorization system built on Azure Resource Manager (ARM)
Designed for fine-grained access management of Azure Resources
Role assignment is combination of
Role definition – list of permissions like create VM, delete SQL,
assign permissions, etc.
Security Principal – user, group, service principal and managed
identity and
Scope – resource, resource groups, subscription, management group
Hierarchical
Management Groups > Subscriptions > Resource Groups > Resources
Built-in and Custom roles are supported
Azure Security Center
Identity
Centralized/unified infrastructure and platform security
management service
Natively embedded in Azure services
Integrated with Azure Advisor
Two tiers
Free (Azure Defender OFF) – included in all Azure services,
provides continuous assessments, security score, and actionable
security recommendations
Paid (Azure Defender ON) – hybrid security, threat protection
alerts, vulnerability scanning, just in time (JIT) VM access, etc.
Azure Key Vault

Managed service for securing sensitive

information (application/platform) (PaaS)
Secure storage service for
Keys,
Secrets and
Certificates
Highly integrated with other Azure services (VMs,
Logic Apps, Data Factory, Web Apps, etc.)
Centralization
Access monitoring and logging