Welcome to this comprehensive study guide designed to help you prepare for the Microsoft Azure Fundamentals (AZ-900) exam. This repository is a collection of structured notes covering a wide range of services and concepts within Microsoft Azure, all aligned with the AZ-900 exam objectives.
The notes include key details on various Azure services including, but not limited to, compute services like virtual machines, networking features, storage solutions, serverless computing offerings like Azure Functions and Logic Apps, as well as data management and DevOps tools offered by Azure. Additionally, it dives into important Azure management principles such as Azure Resources and Resource Groups.
Whether you're a beginner in cloud computing aiming to pass your AZ-900 exam, or an experienced professional seeking a refresher on Azure fundamentals, these notes serve as a valuable resource.
Each Azure service or concept is organized in its own section, enabling you to easily locate and focus on the specific areas you need. This format makes it a reliable quick-reference guide during your exam preparation and revision.
Dive in, study smart, and best of luck with your AZ-900 exam preparation! Your feedback is highly appreciated to improve this open-source Azure study guide.
Agility means that you can deploy and configure cloud-based resources quickly as app requirements change.
Management groups can be used in environments that have multiple subscriptions to streamline the application of governance conditions. This means you can manage access, policies and compliance across multiple subscriptions.
Azure Subscriptions are a logical unit of Azure services that are linked to an Azure account. In order to take advantage of Azure’s cloud-based services, you must have a subscription as it serves as a single billing unit for Azure resources used in that account.
A Resource Group in Azure is essentially a logical container holding resources deployed within an Azure subscription. It typically encompasses resources intended to be managed as a collective entity.
Every resource within Azure must belong to a resource group, providing a structured way to manage and organize your Azure resources. Ideally, all the resources within a group should share the same lifecycle, meaning they are deployed, updated, and deleted collectively.
Allocation of resources to resource groups can be determined based on your organization's specific needs and logic. It is generally recommended to group resources with the same lifecycle together for efficient management. A resource group can include all resources for a given solution, or only those that you want to manage collectively.
Resource groups facilitate the application of consistent policies and access controls to the group's resources, enhancing security and governance.
Azure Resources are individual instances of services that you create within Azure, such as virtual machines (VMs), storage, or SQL Databases. Each resource is an exemplar of a particular resource type, represented by identifiers like Microsoft.Compute/virtualMachines or Microsoft.Storage/storageAccounts.
Resources offer operations for interacting with their associated data. For instance, a storage account resource would allow you to create or delete the account, list the account's keys, or modify its properties. Every resource carries a unique resource ID that includes details like subscription, resource group, provider namespace, resource type, and resource name for accurate identification.
Resources can also bear metadata, such as tags, which are name-value pairs that you can assign to resources. These tags facilitate the categorization of resources for management tasks like billing or monitoring.
Resources can only be associated with a single subscription. Subscriptions may be grouped into management groups. An account may be associated with multiple subscriptions.
A defense in depth strategy uses a series of mechanisms to slow the advancement of an attack that aims to gain unauthorized access to data. The principle of least privilege means restricting access to information to only the level that users need to perform their work. A DDoS attack attempts to overwhelm and exhaust an application's resources. The perimeter layer is about protecting an organization's resources from network-based attacks.
Elasticity refers to the ability to dynamically adjust cloud resources to meet fluctuating application demands. By utilizing autoscaling, applications can ensure they always have the necessary resources to function optimally. This on-demand resource provision and de-provision enhances cost-effectiveness by ensuring you only pay for what you use. Moreover, elasticity enables applications to maintain performance during peak loads and conserve resources during periods of lesser demand.
You can deploy apps and data to regional data centers around the globe, thereby ensuring that your customers always have the best performance in their region. This is referred to as geo-distribution.
High availability, also referred to as reliability in Azure, ensures continuous application availability and a seamless user experience, even when issues arise. It involves designing systems with redundant components and failover capabilities so that if one component fails, another can seamlessly take its place. In the Azure context, this might involve the use of multiple Azure regions, availability zones, and paired regions to ensure resilience against outages and disasters.
Horizontal Scaling (Scale Out/In)
Horizontal scaling is the process of adding or removing instances from a system to increase or decrease capacity. In the context of cloud computing, this typically refers to adding or removing servers (virtual machines) from a system.
Key points:
Vertical Scaling (Scale Up/Down)
Vertical scaling, on the other hand, involves increasing or decreasing the capacity of an existing server, such as upgrading the CPU, RAM, or disk capacity of a server. This is done without changing the number of servers.
Key points:
Both strategies can be used in conjunction for an effective scaling strategy, depending on the needs of the system and its workload. Cloud services like Azure make both horizontal and vertical scaling strategies easy to implement, giving you flexibility to optimize your resources based on your application's demand.
Azure operates as a public cloud computing platform, offering an array of online services including resources like virtual machines, data storage, networking capabilities, and more. This infrastructure operates on a multi-tenant model where various organizations, often referred to as 'tenants', share the same hardware, storage, and network devices. These services can be accessed and managed using a web browser.
Key aspects to consider:
A Service Level Agreement (SLA) is a commitment between a service provider and a client that defines the level of service expected. In Azure, SLAs outline the performance and availability standards that Azure promises to uphold. They provide guarantees on aspects such as uptime and connectivity, often expressed as a percentage (like 99.99% availability).
When combining multiple Azure services to deliver a solution, it's essential to consider the Compound SLA. This reflects the overall availability based on the combined SLAs of the individual services. Because each service has its own SLA, the resulting Compound SLA might be lower than the individual ones. Therefore, it's crucial to consider the impact of each service's SLA when designing multi-service solutions in Azure.
SLA1∗SLA2=CompositeSLA
SSO enables a user to sign in one time and use that credential to access multiple resources and applications from different providers. Azure AD is provides SSO.
Virtual network peering is a feature in Azure that allows you to connect two Azure virtual networks in the same region or different regions using the Azure backbone network. It enables seamless connectivity and communication between the peered virtual networks as if they were part of a single network.
Azure App Service is a Platform-as-a-Service (PaaS) offering from Microsoft Azure, providing a managed environment for developers to host web applications, mobile app backends, RESTful APIs, and more. With this service, infrastructure management is abstracted, enabling developers to focus solely on the application's business logic. Some of its key features include auto-scaling, high availability, support for both Windows and Linux, and continuous deployment from Git repositories.
Azure Bastion is a fully managed Platform as a Service (PaaS) offering in Microsoft Azure that provides secure and seamless remote access to virtual machines (VMs) within virtual networks. It eliminates the need for public IP addresses, network security groups, or VPN connections to access Azure VMs, offering a more secure and streamlined approach to remote management.
Azure Content Delivery Network (CDN) is a robust, developer-centric network of distributed servers designed to deliver high-bandwidth content to users rapidly and efficiently. By caching content at strategically positioned physical nodes across the globe, Azure CDN ensures fast and reliable content delivery.
Azure Container Instances (ACI) is a serverless container platform provided by Microsoft Azure. It allows you to easily run containerized applications without managing the underlying infrastructure or virtual machines. ACI offers a lightweight and flexible solution for deploying and scaling containers in the Azure cloud.
Azure DevOps is a comprehensive suite of services designed to support the complete lifecycle of application development. These services are intended to facilitate planning, collaboration, building, and deployment of applications, providing a unified platform for DevOps processes.
Key Components:
Together, these services enable teams to effectively plan work, collaborate on code development, and build and deploy applications seamlessly. This integrated approach ensures consistency, improves productivity, and enhances the overall quality of your software projects.
Azure DevTest Labs is a comprehensive service designed to simplify the provisioning and management of environments for testing and development. It provides an efficient, scalable, and cost-effective solution for creating virtual machines (VMs) and managing resources.
Key Features:
This scalability is incredibly beneficial for maintaining cost-efficiency, as environments can be created on-demand when needed, and decommissioned after use, thereby eliminating unnecessary costs associated with idle resources.
In summary, Azure DevTest Labs is a robust service that offers significant value for developers and testers, facilitating a seamless, efficient, and flexible testing and development process.
Azure Event Grid is a service that helps you build event-driven applications. It enables real-time event handling within your applications and provides a mechanism for responding to events from many different sources.
Azure Functions is a serverless, event-driven compute service that enables you to run code on-demand without having to explicitly provision or manage infrastructure. It allows for the creation of small, single-purpose functions that can respond to cloud events. This platform is highly scalable and only charges for the time your code is running, making it an economical choice for many cloud computing tasks.
Key Features:
Azure Kubernetes Service (AKS) is a managed container orchestration service provided by Azure, and is based on the open-source Kubernetes system. AKS simplifies the deployment and management of containerized applications, offering scalability and high availability out of the box. Other key features include serverless Kubernetes, integrated continuous integration/continuous deployment (CI/CD), and enterprise-grade security and governance, making it a suitable choice for production workloads.
Azure IoT Hub serves as the central messaging hub for bidirectional communication between IoT devices and Azure cloud services. This cloud-based service facilitates the secure connection, monitoring, and management of IoT assets at scale. IoT Hub supports various device connectivity and data exchange protocols, offering both device-to-cloud and cloud-to-device messaging capabilities. It integrates with other Azure services such as Azure Stream Analytics and Azure Functions, allowing real-time processing of IoT data and triggering actions based on IoT events. By offering advanced features like device management, data ingestion, and analytics, Azure IoT Hub simplifies the implementation and operation of comprehensive IoT solutions.
Azure Logic Apps provide a robust, serverless solution to schedule, automate, and orchestrate tasks, business processes, and workflows across your enterprise or organization. They facilitate seamless integration of applications, data, systems, and services by providing an intuitive visual designer that allows you to define the order of steps and conditions. A compelling feature of Azure Logic Apps is the ability to send emails automatically upon occurrence of a specific event, allowing you to set up customizable notifications or actions based on your business needs.
Key Features:
Azure Resource Manager (ARM) is the deployment and management service provided by Microsoft Azure. It enables users to create, deploy, manage, and monitor all the resources within their Azure environment as a single, cohesive unit. ARM provides a consistent management layer that allows for the automation and orchestration of resource provisioning and configuration.
Azure Service Bus is a robust and secure cloud-based message broker service that enables the asynchronous transfer of data and state. The service is designed to facilitate communication between sender and receiver applications through a reliable publish/subscribe model.
Key Features:
Azure Stream Analytics is a real-time analytics and complex event-processing engine designed to analyze and process high volumes of fast-streaming data from multiple sources simultaneously. This powerful service can extract and identify patterns and relationships from a variety of input sources such as IoT devices, sensors, weblogs, clickstreams, and more.
The use cases for Azure Stream Analytics are wide-ranging:
These use cases make Azure Stream Analytics a versatile tool for organizations that require real-time insights for their decision-making processes.
Azure Virtual Machine Scale Sets (VMSS) is a feature in Microsoft Azure that allows you to deploy and manage a group of identical virtual machines (VMs) as a single entity. VMSS provides scalability, high availability, and easy management for applications that need to scale out and handle varying workloads.
Azure Virtual Desktop is a desktop and application virtualization service that runs in the cloud. It enables your users to use a cloud-hosted version of Windows from any location. Azure Virtual Desktop works across devices such as Windows, Mac, iOS, Android, and Linux. It works with apps that you can use to access Remote Desktops and apps. You can also use most modern browsers to access Azure Virtual Desktop-hosted experiences.
Azure Application Gateway is a specialized load-balancing service that provides application-level routing. It enhances the scalability and security of your web applications by directing traffic based on multiple parameters, such as URL paths, host headers, and cookie values. Additional features include SSL/TLS offloading, session affinity, and web application firewall (WAF) capabilities for robust protection against common web-based threats.
Azure ExpressRoute offers a private, dedicated connection from your on-premises data centers to Azure, facilitated by a connectivity provider. It delivers greater reliability and predictability than conventional internet-based connections, offering higher security and lower latency. Each ExpressRoute circuit entails two connections to two Microsoft Enterprise edge routers (MSEEs) at an ExpressRoute Location from the connectivity provider or your network edge. It is worth noting that a redundant Layer 3 connectivity configuration is required for the service level agreement (SLA) to be valid.
Azure Firewall is a fully managed, cloud-based network security service protecting your Azure Virtual Network resources. It provides network-level protection for inbound and outbound traffic across multiple subscriptions and virtual networks. Azure Firewall is highly available and features built-in auto-scaling, and it integrates with Azure Monitor for advanced logging and analytics. As a stateful firewall-as-a-service, Azure Firewall possesses a static public IP address for VNet resources, allowing external firewalls to identify traffic originating from your virtual network. Used in conjunction with Network Security Groups, it provides defense-in-depth security.
Azure Traffic Manager is a DNS-based traffic load balancer that allows for the distribution of traffic across numerous endpoints, such as web apps, VMs, and cloud services. It enhances application performance and availability through high availability, performance optimization, and automatic failover capabilities. Traffic can be routed to different endpoints based on geographic location, routing preference, or endpoint health.
Azure Virtual Network (VNet) is the cornerstone of your private network in Azure, providing a secure environment for resources like VMs to communicate with each other, the internet, and on-premises networks. VNets allow you to define your own private IP address space and segment the network into subnets, establishing a trusted boundary to host your compute resources.
Application Security Groups streamline the management of network security group rules by grouping virtual machines and defining rules based on these groups. This eliminates the need for manual maintenance of explicit IPs and is only applied to the network interfaces that are members of the application security group.
Network Security Groups (NSGs) serve to filter traffic to and from network interfaces in Azure. They encompass multiple inbound and outbound security rules that enable you to permit or deny traffic based on protocol, source IP address, or range, destination IP address or range, and port ranges. NSGs can be associated with subnets and individual network interfaces to control traffic within virtual networks (VNets) or between VNets and the internet. Rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, protocol)
A Point-to-Site (P2S) VPN connection allows a secure link from an individual client computer to a virtual network, facilitating remote work, for instance, from home.
A Public Load Balancer manages traffic from the internet to VMs, mapping public IPs to the private IPs and ports of VMs. For internal traffic within the Azure network, the Internal/Private Load Balancer is used.
A Site-to-Site (S2S) VPN creates a secure, encrypted tunnel over the public internet to connect an on-premises network to an Azure network. This setup requires an on-premises VPN device with an externally facing public IP. Each virtual network can have one VPN gateway, but multiple connections to the same gateway are possible, sharing the gateway's bandwidth.
Azure Blob Storage is an essential service offering in Azure that's used for scalable, object storage of unstructured data. It can accommodate various types of data such as text, binary data, documents, media files, and application installers.
Access Tiers
These tiers provide cost-effective storage methods that are optimized for specific usage patterns. They allow for resource allocation depending on data frequency of access, storage duration, and latency requirements.
Azure Cosmos DB is Microsoft's globally distributed, multi-model database service. It offers single-digit millisecond read and write latencies, 99.999% availability, and automatic and instant scalability. It supports various popular data models and APIs, including SQL API, MongoDB, Cassandra, Gremlin, and Table API.
Cosmos DB is an excellent choice when building applications with a globally distributed user base, requiring low latency, high availability, and elastic scalability.
Azure DMS is a fully managed service designed to enable seamless migrations from multiple database sources to Azure data platforms with minimal downtime.
Azure Files is a fully managed service providing cloud-based file shares that can be accessed using the industry standard Server Message Block (SMB) protocol.
Azure Advisor acts as your personalized cloud consultant, providing recommendations for optimizing Azure resources based on high availability, security, performance, and cost. It uses your resource configuration and usage data to offer actionable insights and best practices for efficiently running your workloads in Azure.
Azure Blueprint is a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:
Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. It provides the flexibility to choose between Bash or PowerShell environments and works independently of the local operating system.
Azure Cost Management + Billing is a suite of tools designed to provide a comprehensive view of your cloud costs. It facilitates cost analysis, bill payment, cost access management, spending threshold settings, and identification of cost optimization opportunities. It can also help you create and manage budgets.
Azure Reservations provide an advantageous pricing model that allows you to commit to one-year or three-year terms for Azure resources, thereby securing a significant discount over the standard pay-as-you-go pricing. By leveraging Azure Reservations, you can achieve savings of up to 72% compared to the standard pricing model.
Azure Resource Manager Locks offer an added layer of protection to your Azure resources. These can be applied at different levels - subscriptions, resource groups, or individual resources - to prevent accidental modifications or deletion.
Azure Resource Manager (ARM) Templates act as the management layer for resource groups and their contained resources. They are pivotal for automating the deployment and configuration of resources.
Both Azure Blueprint and Azure Resource Manager (ARM) Templates are effective in automating the deployment and configuration of resources. However, Azure Blueprint provides a comprehensive governance model with policy and role definitions while ARM Templates are best suited for bundling and deploying resources as a group.
Azure provides various support options to cater to different customer needs:
Microsoft Compliance Manager is a risk assessment tool available on the Microsoft Service Trust Portal. It helps manage regulatory compliance activities for Microsoft cloud services. It provides a centralized dashboard to manage and track compliance assessments across Azure services and regulatory requirements like ISO 27001, NIST 800-53, and GDPR.
Microsoft's Modern Lifecycle Policy covers products and services that are serviced and supported continuously. Under this policy, Microsoft commits to providing a minimum of 12 months' notice prior to ending support if no successor product or service is available.
Key Elements:
The Modern Lifecycle Policy reflects Microsoft's commitment to its customer base, as it guarantees regular updates, provides transparency about product lifecycles, and ensures customers are not left unsupported or uninformed about any changes. This approach aligns well with today's fast-paced technology ecosystem where software products and services need to evolve continually to remain relevant and secure.
The Microsoft Privacy Statement is a document that provides information on how Microsoft collects, uses, and protects your personal data. It details the types of data Microsoft collects, how this data is used, stored, and protected, and the controls you have over its use. This transparency aims to build trust with users by adhering to data privacy laws and ensuring users' personal data is handled responsibly.
Microsoft Trust Central is a comprehensive platform providing customers with an authentic and thorough understanding of Microsoft's security, privacy, and compliance practices. It serves as a single source of truth, offering comprehensive information about how Microsoft implements and manages security, privacy, and compliance controls across its range of products and services.
Authentication and authorization are key security processes in Azure.
Authentication (AuthN) involves confirming the identity of a user, device, or system. It typically involves validating credentials like usernames and passwords.
Authorization (AuthZ) occurs after successful authentication, determining the permissions or privileges of the authenticated entity, i.e., determining what actions the authenticated user or device is allowed to perform.
Azure AD is a robust, cloud-based identity and access management service. It simplifies user access to various cloud and on-premises applications via single sign-on and multi-factor authentication.
Azure AD Connect is a tool that synchronizes your on-premises directories, like Active Directory, to Azure AD, creating a common identity for on-premises and cloud resources.
Azure AD Connect Health provides monitoring capabilities and insights for your on-premises Active Directory Domain Services (AD DS) and Azure Active Directory (Azure AD) environments.
Azure Information Protection (AIP) is a solution that helps organizations classify and protect documents and emails using labels.
Azure Security Center is a unified infrastructure security management system that enhances your data centers' security posture.
Azure Key Vault is a cloud service that ensures the secure storage and centralized management of keys, secrets, and certificates.
Azure Sentinel is a cloud-native security information and event manager (SIEM) platform that leverages built-in AI to analyze large data volumes across an enterprise.
Security Orchestration Automated Response (SOAR)
Azure Service Health offers personalized alerts and guidance when Azure service issues impact your resources.
Azure DDoS Protection Standard is a managed service that offers network-level protection for your Azure resources against DDoS attacks.
Azure Active Directory Identity Protection enables organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to third-party utilities for further analyses.
Azure Activity Log is a service in Microsoft Azure that provides visibility into the operations performed on resources within an Azure subscription. It captures a comprehensive set of log data, including details about resource provisioning, configuration changes, management operations, and system events.
Azure Application Insights is a service that helps you monitor the performance and usage of your applications. It collects telemetry data and provides tools for analyzing and understanding this data.
Azure Monitor is a service that provides real-time visibility into the performance and health of your applications and infrastructure. It uses a range of data collection, analytics, and insights presenting tools to give you a comprehensive understanding of your computing environments.
Azure Synapse (formerly known as Azure SQL Data Warehouse) is an integrated analytics service that accelerates the process of deriving insights from your data. It brings together enterprise data warehousing and big data analytics technology into a single unified and limitless service.