# Azure Fundamentals

This notebook includes my notes taken for preparing [Exam AZ-900: Microsoft Azure Fundamentals](https://docs.microsoft.com/en-us/learn/certifications/exams/az-900). The contents of this notebok is based on the [exam skills outline](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3VwUY) downloaded on the same exam webpage.

Please note that the notes taken mostly from the materials and links on **Microsoft Learn**, along with my personal understanding on the materials. They are not official answers and not meant to be comprehensive for learning Azure.


## Concept of Cloud Computing

### What is cloud computing? 
Cloud computing is the delivery of computing services - including **servers, storage, databases, networking, software, analytics, and intelligence** over the internet ("the cloud") to offer **faster innovation, flexible resources, and economies of scale**.

### Services offered by cloud computing providers 
Typically, these services include:
- Compute power - such as Linux servers or web applications.
    - Computing choices: VM, containers such as Docker (without operating system), and serverless computing such as function (without server)
- Storage - such as files and databases.
- Networking - such as secure connections between the cloud provider and your company.
- Analytics - such as visualizing telemetry and performance data.

## PART 1:Describe Cloud Concepts (15-20%)

### Describe the benefits and considerations of using cloud services
- Describe terms such as High Availability, Scalability, Elasticity, Agility, Fault Tolerance, and Disaster Recovery

    - **High availability**. The ability to **keep services up and running** for long periods of time, with very little downtime, depending on the service in question.

    - **Scalability**. The ability to **increase or decrease resources for any given workload**. You can add additional resources to service a workload (known as ***scaling out***), or add additional capabilities to manage an increase in demand to the existing resource (known as ***scaling up***). Scalability doesn't have to be done automatically.

    - **Elasticity**. The ability to ***automatically*** **or dynamically increase or decrease resources as needed**. Elastic resources match the current needs, and resources are added or removed automatically to meet future needs when it’s needed (and from the most advantageous geographic location). A distinction between scalability and elasticity is that elasticity is done ***automatically***.

    - **Agility**. The ability to **react quickly**. Cloud services can allocate and deallocate resources quickly. They are provided on-demand via self-service, so vast amounts of computing resources can be provisioned in minutes. There is no manual intervention in provisioning or deprovisioning services.

    - **Fault tolerance**. The ability to **remain up and running even in the event of a component (or service) no longer functioning**. Typically, **redundancy** is built into cloud services architecture, so if one component fails, a backup component takes its place. This type of service is said to be tolerant of faults.

    - **Disaster recovery**. The ability to **recover from an event which has taken down a cloud service**. Cloud services disaster recovery can happen very quickly, with automation and services being readily available to use.


- Describe the principles of economies of scale
    
    The concept of economies of scale is the ability to **reduce costs** and **gain efficiency** when **operating at a larger scale** in comparison to operating at a smaller scale.
    

- Describe the differences between Capital Expenditure (CapEx) and Operational Expenditure (OpEx)

    - Capital Expenditure (CapEx): This is the **up front spending of money on physical infrastructure**, and then **deducting that up front expense over time**. The up front cost from CapEx has a value that reduces over time.

    - Operational Expenditure (OpEx): This is **spending money on services or products now and being billed for them now**. You can **deduct this expense in the same year you spend it**. There is no up front cost, as you pay for a service or product as you use it.


- Describe the consumption-based model

    Users only pay for the resources that they use.

### Describe the differences between Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS)

- Describe Infrastructure-as-a-Service (IaaS)

    IaaS requires the most user management of all the cloud services. The user is responsible for managing the **operating systems, data, and applications**. With IaaS, you **rent IT infrastructure servers and virtual machines (VMs), storage, networks, and operating systems** from a cloud provider on a pay-as-you-go basis.

    When using IaaS, ensuring that a service is up and running is a shared responsibility: the cloud provider is responsible for ensuring the cloud infrastructure is functioning correctly; the cloud customer is responsible for ensuring the service they are using is configured correctly, is up to date, and is available to their customers.


- Describe Platform-as-a-Service (PaaS)

    PaaS requires less user management. The cloud provider manages the operating systems, and the user is responsible for the **applications and data** they run and store. **PaaS is a complete development and deployment environment in the cloud**, with resources that enable organizations to deliver everything from simple cloud-based apps to sophisticated cloud-enabled enterprise applications. (Ex: web application, Excel macro, analytics, business intelligence)


- Describe Software-as-a-Service (SaaS)

    SaaS requires the least amount of management. The cloud provider is responsible for managing everything, and the end user just **uses the software**. It allows users to connect to and use cloud-based apps over the internet. Common examples are email, calendars, and office tools such as Microsoft 365.



- Compare and contrast the three different service types

    **IaaS** is the most flexible category of cloud services. It aims to give you complete control over the hardware that runs your application. Instead of buying hardware, with IaaS, you rent it. With **PaaS**, users can gain access to more cutting-edge development tools and toolsets. Users can also focus on application development only, as all platform management is handled by the cloud provider. **SaaS** is usually based on an architecture where one version of the application is used for all customers, and licensed through a monthly or annual subscription



### Describe the differences between Public, Private and Hybrid cloud models
- Describe Public cloud

    A public cloud is **owned by the cloud services provider (also known as a hosting provider)**. It provides resources and services to multiple organizations and users, who connect to the cloud service via a secure network connection, typically over the internet.


- Describe Private cloud

    A private cloud is **owned and operated by the organization that uses the resources from that cloud**. They create a cloud environment in their own datacenter and provide self-service access to compute resources to users within their organization. The organization remains the owner, entirely responsible for the operation of the services they provide.


- Describe Hybrid cloud

    A hybrid cloud combines both public and private clouds, allowing you to run your applications in the most appropriate location. **Specific resources run or are used in a public cloud, and others run or are used in a private cloud.** An example of a hybrid cloud usage scenario would be **hosting a website in the public cloud and linking it to a highly secure database hosted in a private cloud**.


- Compare and contrast the three different cloud models

## PART 2: Describe Core Azure Services (30-35%)

### Describe the core Azure architectural components
- Describe Regions

    A **region** is a geographical area on the planet **containing at least one, but potentially multiple datacenters** that are in close proximity and networked together with a low-latency network. Azure intelligently **assigns and controls the resources within each region to ensure workloads are appropriately balanced**. A few examples of regions are West US, Canada Central, West Europe, Australia East, and Japan West. At the time of writing this, Azure is generally available in 60 regions and available in 140 countries.

    *Note: A country can have several regions -> a region belongs to a country*

    Azure divides the world into **geographies** that are defined by geopolitical boundaries or country borders. An Azure geography  is a discrete market typically containing two or more regions that preserves **data residency and compliance boundaries**. Each region belongs to a single geography and has **specific service availability, compliance, and data residency/sovereignty rules** applied to it.

    *Note: Geographies are defined to follow the law and regulations. In general, a geography is a country.*


- Describe Availability Zones

    **Availability sets** are a way for you to ensure your application remains online if a **high-impact maintenance event** is required, or if a **hardware failure** occurs. 
    
    **Availability zones** are physically separate locations within an **Azure region** that use availability sets to **provide additional fault tolerance**. **(Available sets are duplicated across available zones. Azure region consists of multiple availability zones, which include one or more or data centers.)** Each availability zone is an isolation boundary **containing one or more datacenters** equipped with independent power, cooling, and networking. The availability zones are typically connected to each other through very fast, private fiber-optic networks.
    
    (Note: One region contains multiple availability zones. One availability zone contains one or more data centers.)

    **Knowledge check: Microsoft Azure datacenters are organized and made available by regions.**
    

- Describe Resource Groups

    A **resource group** is a unit of management for your resources in Azure. You can think of your resource group as a container that allows you to aggregate and manage all the resources required for your application in a single manageable unit. This allows you to **manage the application collectively over its lifecycle**, rather than manage components individually. Before any resource can be provisioned, you need a resource group for it to be placed in.

    Remember that when you delete a resource group you delete all resources contained within it.
    
    Considerations:
    
    - Each resource must exist in one, and only one, resource group.
    - A resource group can contain resources that **reside in different regions**.
    - Resources for an application do not need to exist in the same resource group. However, it is recommended that you keep them in the same resource group for ease of management.


- [Describe Azure Resource Manager](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview)

    **Azure Resource Manager**  is a management layer in which resource groups and all the resources within it are created, configured, managed, and deleted. It provides a consistent management layer which allows you to automate the deployment and configuration of resources using different automation and scripting tools, such as Microsoft Azure PowerShell, Azure Command-Line Interface (Azure CLI), Azure portal, REST API, and client SDKs.
    
    With Azure Resource Manager, you can:
    - Deploy Application resources
    - Organize resources
    - Control access and resources.
        
    Knowledge check: Azure Resource Manager is stored in **JSON format**.


- Describe the benefits and usage of core Azure architectural components

### Describe some of the core products available in Azure

*Note 1: Categories of Azure core products:* ***Azure Compute, Azure Network, Azure Storage, Azure Databases, and Azure Marketplace.***

*Note 2: Storage and database are two different concepts in Azure.*



#### Describe products available for Compute such as Virtual Machines, Virtual Machine Scale Sets, App Services, Azure Container Instances (ACI) and Azure Kubernetes Service (AKS)

1. **Virtual machines (VMs)** are **software emulations of physical computers**. They include a virtual processor, memory, storage, and networking resources. VMs host an operating system, and you're able to install and run software just like a physical computer. *When using a remote desktop client, you can use and control the virtual machine as if you were sitting in front it.*
  
    - A **network interface** enables an Azure Virtual Machine to communicate with internet, Azure, and on-premises resources. When creating a virtual machine using the Azure portal, the portal creates one network interface with default settings for you. You may instead choose to create network interfaces with custom settings and add one or more network interfaces to a virtual machine when you create it.
    
        [This article](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface) explains how to create a network interface with custom settings, change existing settings, such as **network filter (network security group) assignment**, **subnet assignment**, DNS server settings, and IP forwarding, and delete a network interface.
        
        A network interface can be associated to:
            
        - A subnet (network)
        - A application security group (network security)
        - A network security group (network security)



2. **Virtual machine scale sets** are an Azure compute resource that you can use to **deploy and manage a set of identical VMs**. With all VMs configured the same, virtual machine scale sets are designed to support true **autoscale**; no pre-provisioning of VMs is required; and as such makes it easier to build large-scale services targeting big compute, big data, and containerized workloads.


3. With **App services** , you can quickly build, deploy, and scale enterprise-grade web, mobile, and API **apps** running on any platform. App Services is a platform as a service ***(PaaS)*** offering.


4. **Azure Functions** are ideal when you're concerned only about the code running your service and not the underlying platform or infrastructure. They're commonly used when you need to **perform work in response to an event** (often via a REST request), timer, or message from another Azure service, and when that work can be completed quickly, within seconds or less.


5. **If you wish to run multiple instances of an application on a single host machine, *containers* are an excellent choice. Containers are a *virtualization environment.*** (Note: Think of containers as an environment that allows all types of applications to run, no matter what kind of os the applications require.)

    - ***Containers*** reference **the operating system of the *host environment*** that runs the container.
        - *Note: Containers host one or more containerized apps, which is also called containers. Containers (operating system) host containers (apps) - very confusing.*
    - Unlike virtual machines you **do not manage the operating system**.
    - Containers are lightweight and are designed to be created, scaled out, and stopped dynamically.
    - Containers allows you to respond to changes on demand and quickly restart in case of a crash or hardware interruption.
    - Azure supports Docker containers.

    There are two ways to manage both **Docker** and **Microsoft-based containers** in Azure.

        5.1 **Azure Container Instances** offers the fastest and simplest way to run a container in Azure without having to manage any virtual machines or adopt any additional services. It is a ***PaaS*** offering that allows you to upload your containers, which it will run for you.

        5.2 The task of **automating, managing, and interacting with a large number of containers** is known as ***orchestration***. **Azure Kubernetes Service (AKS)** is a complete orchestration service for containers with distributed architectures and large volumes of containers. Orchestration is the task of automating and managing a large number of containers and how they interact.

    **You can move existing applications to containers and run them within AKS.**

    **VM vs Containers**

    VM can only run one operating system at a time. VM emulates a full computer, so tasks are pretty slow. There's a lighter-weight solution that solves the issue: containers. A container ***bundles a single app and its dependancies***, referred to as containeizing the app, and deploys it as a unit to a *container host*.

    The container host provides a ***standardized runtime environment***, which ***abstracts away the operating system and infrastructure requirements***, allowing the containerized application to run side-by-side with other containerized apps.

    **VM virtulizes the hardware, while containers virtulize the operating system. The operating system level virtualization of containers allows you to run multiple lightweight containers on a single host without sacrificing the isolation that the virtual machine originally offered.**

    
    
#### [IMPORTANT!!] Describe products available for Networking such as Virtual Network, Load Balancer, VPN Gateway, Application Gateway and Content Delivery Network

*Note: **Network** and **Network Security** are two different concepts.*
    
    
1. **[Azure Virtual Network](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview)** enables **many types of Azure resources** such as Azure VMs to securely **communicate with each other, the internet, and on-premises networks**. A virtual network is **scoped to a single region**; however, multiple virtual networks from different regions can be connected using **virtual network peering**. With Azure Virtual Network you can provide isolation, segmentation, communication with on-premises and cloud resources, routing and filtering of network traffic.

    - **Subnets**: Subnets enable you to **segment the virtual network** into one or more sub-networks and allocate a portion of the virtual network's **address space** to each subnet. *You can then deploy Azure resources in a specific subnet.* Just like in a traditional network, subnets allow you to segment your VNet address space into segments that are appropriate for the organization's internal network. This also **improves address allocation efficiency**. You can secure resources within subnets using Network Security Groups.



2. **[Azure Load Balancer](https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview)** can **provide scale** for your applications and create high availability for your services. *Load balancing* refers to evenly distributing load (incoming network traffic) across a group of backend resources or servers. Load Balancer **supports inbound and outbound scenarios**, provides **low latency and high throughput**, and scales up to millions of flows for all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) applications.


3. A **[VPN gateway](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways)** is a specific type of *virtual network gateway* that is used to send **encrypted traffic** between an **Azure Virtual Network** and an **on-premises location** over the public internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network.

    - A *virtual network gateway* is composed of two or more VMs that are deployed to a specific subnet you create called the gateway subnet.


4. **[Azure Application Gateway](https://docs.microsoft.com/en-us/azure/application-gateway/overview)** is a **web traffic load balancer** that enables you to manage traffic to your ***web applications***. It is **the connection through which users connect to your application**. Traditional load balancers operate at the transport layer (OSI layer 4 - TCP and UDP) and **route traffic** based on source IP address and port, to a destination IP address and port.

    Application Gateway can make routing decisions based on additional attributes of an **HTTP request**, for example URI path or host headers. For example, you can route traffic based on the incoming URL. So if `/images` is in the incoming URL, you can route traffic to a specific set of servers (known as a pool) configured for images. If `/video` is in the URL, that traffic is routed to another pool that's optimized for videos.


5. A **Content Delivery Network (CDN)** is a distributed network of servers that can efficiently **deliver web content to users**. Typical usage scenarios include web applications containing multimedia content, a product launch event in a region, or any event where you expect a high bandwidth requirement in a region.


6. **[Azure Traffic Manager](https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview)** is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions, while providing high availability and responsiveness.

    The *Domain Name System (DNS)* is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. (Wikipedia)
        
    Traffic Manager uses DNS to direct client requests to the most appropriate service endpoint based on a traffic-routing method and the health of the endpoints. An endpoint is any Internet-facing service hosted inside or outside of Azure. Traffic Manager provides a range of traffic-routing methods and endpoint monitoring options to suit different application needs and automatic failover models. Traffic Manager is resilient to failure, including the failure of an entire Azure region.



#### Describe products available for Storage such as Blob Storage, Disk Storage, File Storage, and Archive Storage

1. **Disk storage** provides disks **for virtual machines, applications, and other services** to access and use as they need, similar to how they would in on-premises scenarios. Disk storage allows data to be persistently stored and accessed from an attached **virtual hard disk**.


2. **Azure Blob storage** is Microsoft's object storage solution for the cloud. Blob storage is optimized for storing massive amounts of **unstructured data, such as text or binary data**.


3. **Azure Files** enables you to set up highly available network **file shares** that can be accessed by using the standard Server Message Block (SMB) protocol. That means that **multiple VMs can share the same files** with both read and write access. You can also read the files using the REST interface or the storage client libraries. One thing that distinguishes Azure Files from files on a corporate file share is that **you can access the files from anywhere in the world using a URL** that points to the file and includes a **shared access signature (SAS) token**. You can generate SAS tokens; they allow specific access to a private asset for a specific amount of time.


4. The **Azure Queue** service is used to **store and retrieve messages**. Queue messages can be up to 64 KB in size, and a queue can contain millions of messages. Queues are generally used to store lists of messages to be processed asynchronously.


5. **Azure Table** storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing **structured, *non-relational* data**.



#### Describe products available for Databases such as Cosmos DB, Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, Azure Database Migration service

1. **Microsoft Azure Cosmos DB** is a **globally distributed database service** that enables you to **elastically and independently scale throughput and storage across any number of Azure's geographic regions**. It supports **schema-less data** that lets you build highly responsive and Always On applications to support constantly changing data


2. **Azure SQL Database** is a relational database as a service (***DaaS***) based on the latest stable version of Microsoft SQL Server database engine.
    - *Note: Microsoft Azure Cosmos DB is globally distributed; Azure SQL Database is just a regular database.*


3. The **Azure Database Migration Service** is a fully managed service designed to enable seamless migrations **from multiple database sources** to Azure data platforms with minimal downtime (online migrations).



#### Describe the Azure Marketplace and its usage scenarios

**Azure Marketplace** is a service on Azure that helps connect end users with Microsoft partners, independent software vendors (ISVs), and start-ups that are offering their solutions and services, which are optimized to run on Azure.

### Describe some of the solutions available on Azure
#### Describe Internet of Things (IoT) and products that are available for IoT on Azure such as IoT Hub and IoT Central

The Internet of Things (IoT) is **the ability for devices to garner and then relay information for data analysis**. There are many services that can assist and drive end-to-end solutions for IoT on Azure. Two of the core Azure IoT service types are Azure IoT Central, and Azure IoT Hub.

1. **IoT Central** is a fully managed global IoT software as a service (***SaaS***) solution that makes it easy to **connect, monitor, and manage your IoT assets at scale**. No cloud expertise is required to use IoT Central. As a result, you can bring your connected products to market faster while staying focused on your customers.


2. **Azure IoT Hub** is **a managed service hosted in the cloud** that acts as **a central message hub for *bi-directional communication* between your IoT application and the devices it manages**. You can use Azure IoT Hub to build IoT solutions with reliable and secure communications between millions of IoT devices and a cloud-hosted solution backend. You can connect virtually any device to your IoT Hub.

    - ***Note: IoT Central is a management tool; IoT Hub offers bidirectional communication.***
       

#### Describe Big Data and Analytics and products that are available for Big Data and Analytics such as Azure Synapse Analytics, HDInsight, and Azure Databricks

1. **Azure Synapse Analytics** (formerly Azure SQL Data Warehouse) is a limitless analytics service that brings together **enterprise data warehousing** and big data analytics.


2. **Azure HDInsight** is a fully managed, open-source analytics service for enterprises. It is a cloud service that makes it easier, faster, and more cost-effective to **process massive amounts of data**. HDInsight allows you to run popular open-source frameworks and **create cluster types** such as **Apache Spark, Apache Hadoop, Apache Kafka, Apache HBase, Apache Storm, Machine Learning Services**. HDInsight also supports a broad range of scenarios such as extraction, transformation, and loading (ETL); data warehousing; machine learning; and IoT.


3. **Azure Data Lake Analytics** is an on-demand analytics job service that simplifies big data. Instead of deploying, configuring, and tuning hardware, you **write queries to transform your data and extract valuable insights**. The analytics service can handle jobs of any scale instantly by setting the dial for how much power you need.
    


#### Describe Artificial Intelligence (AI) and products that are available for AI such as Azure Machine Learning Service and Studio

1. **Cognitive services** are a collection of **domain-specific pre-trained AI models** that can be customized with your data. They are categorized broadly into vision, speech, language, and search. 


2. The **Azure Machine Learning service** provides a cloud-based environment you can use to develop, train, test, deploy, manage, and track machine learning models. When you have the right model, you can easily ***deploy it in a container such as Docker in Azure***. Use Machine Learning service if you work in a Python environment, you want more control over your machine learning algorithms, or you want to use open-source machine learning libraries.



#### Describe Serverless computing and Azure products that are available for serverless computing such as Azure Functions, Logic Apps and Event Grid

**Serverless computing** is a cloud-hosted execution environment that runs your code but **abstracts the underlying hosting environment**. You **create an instance of the service and you add your code**. No infrastructure configuration or maintenance is required, or even allowed.

You configure your serverless apps to respond to events. An event could be a REST endpoint, a periodic timer, or even a message received from another Azure service. The serverless app runs only when it's triggered by an event.

Scaling and performance are handled automatically.

1. **Azure Functions** are ideal when you're only concerned with the code running your service and not the underlying platform or infrastructure. Azure Functions are commonly used when you need to **perform work in response to an event**—often via a REST request, timer, or message from another Azure service—and when that work can be completed quickly, within seconds or less. Azure Functions scale automatically, and charges accrue only when a function is triggered, so they're a solid choice when demand is variable.


2. **[Logic Apps (watch video)](https://azure.microsoft.com/en-us/services/event-grid/)** is a cloud service that helps you **automate and orchestrate tasks, business processes, and workflows** when you need to **integrate** apps, data, systems, and services across enterprises or organizations. Logic Apps simplifies how you design and build scalable solutions—whether in the cloud, on premises, or both—for app integration, data integration, system integration, enterprise application integration (EAI), and business-to-business (B2B) integration.

    Logic Apps are designed in a **web-based designer** and can execute logic triggered by Azure services **without writing any code**.


3. **[Event Grid (watch video)](https://azure.microsoft.com/en-us/services/event-grid/)** is a **event-routing service** allows you to subscribe and react to any events you're interested in. 



#### Describe DevOps solutions available on Azure such as Azure DevOps and Azure DevTest Labs

DevOps (Development and Operations) brings together people, processes, and technology, automating software delivery to **provide continuous value to your users**. You can integrate repositories and application tests, perform application monitoring, and work with build artifacts. You can also work with backlog items for tracking, automate infrastructure deployment, and integrate a range of third-party tools and services such as Jenkins and Chef. Some of the main DevOps services available with Azure are Azure DevOps Services, and Azure DevTest Labs.

1. **DevOps Services** provides development collaboration tools including high-performance pipelines, free private Git repositories, configurable Kanban boards, and extensive automated and cloud-based load testing. DevOps Services was **formerly known as Visual Studio Team Services (VSTS)**.


2. **Lab Services** is a service that helps developers and testers **quickly create environments in Azure** while minimizing waste and controlling cost. Users can **test their latest application versions** by quickly provisioning Windows and Linux environments using reusable templates and artifacts. You can easily integrate your deployment pipeline with DevTest Labs to provision on-demand environments. 



#### Describe the benefits and outcomes of using Azure solutions

#### Others

With **Azure App Service** you can quickly and easily build web and mobile apps for any platform or device. Azure App Service enables you to **build and host web apps, mobile back ends, and RESTful APIs** in the programming language of your choice without managing infrastructure. It offers auto-scaling and high availability, **supports both Windows and Linux**, and enables automated deployments from GitHub, Azure DevOps, or any Git repo.


### [IMPORTANT!!] Describe Azure management tools
#### Describe Azure tools such as Azure Portal, Azure PowerShell, Azure CLI, and Cloud Shell
1. The **Azure portal** is a public website that you can access with any web browser. The portal does not provide any way to automate repetitive tasks.


2. **Azure PowerShell** is a module that you **add to Windows PowerShell or PowerShell Core** that enables you to connect to your Azure subscription and manage resources.

    For example, Azure PowerShell provides the **New-AzVM command** that creates a virtual machine for you inside your Azure subscription. To use it, you would launch PowerShell, sign in to your Azure account using the command `Connect-AzureRMAccount`, and then issue a command such as:

    ```
    New-AzVm `
        -ResourceGroupName "TesResourceGroup" `
        -Name "Testvm" `
        -Image "UbuntuLTS"
        ...
    ```

    **PowerShell Core** is a *cross-platform* version of PowerShell that runs on Windows, Linux or macOS.


3. **Azure CLI** is a **cross-platform command-line program** that connects to Azure and executes administrative commands on Azure resources. Cross platform means that it can be run on Windows, Linux, or macOS. *Cross platform* means that it can be run on Windows, Linux, or macOS. For example, to create a Virtual Machine, you would open a command prompt window, sign in to Azure using the command `az login`, create a resource group, then use a command such as:

    ```
    az vm create \
      --resource-group Testrg1 \
      --name Testvm \
      --image UbuntuLTS
      --generate-ssh-keys
      ...
    ```


4. **Azure Cloud Shell** is a **browser-based scripting environment** in your portal. *Linux users can opt for a Bash experience, while Windows users can opt for PowerShell.* A **storage account** is required to use the Cloud Shell and you will be prompted to create one when accessing the Azure Cloud Shell.


5. The Microsoft **Azure mobile** app allows you to access, manage, and monitor all your Azure accounts and resources from your iOS or Android phone or tablet.


6. **Representational State Transfer (REST) APIs are *service endpoints* that *support sets of HTTP operations (methods)*, which provide create, retrieve, update, or delete access to the service's resources.**



#### Describe Azure Advisor

**Azure Advisor** is a free service built into Azure that provides recommendations on **high availability, security, performance, and cost**. Advisor analyzes your deployed services and looks for ways to improve your environment across those four areas.

## PART 3: Describe Security, Privacy, Compliance, and Trust (25-30%)

### [IMPORTANT!!] Describe securing network connectivity in Azure
#### Describe Network Security Groups (NSG)

**Network Security Groups (NSG)** allow you to **filter network traffic** to and from Azure resources **in an Azure virtual network**. An NSG can contain multiple inbound and outbound **security rules** that enable you to filter traffic to and from resources **by source and destination IP address, port, and protocol**.

A network security group can contain as many rules as you need, within Azure subscription limits. Each rule specifies the following properties:

- Name: Unique name of the Network Security Group (NSG).
- Priority:	A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers.
- Source or Destination:	Individual IP address or IP address range, service tag, or application security group.
- Protocol:	TCP, UDP, or Any.
- Direction:	Whether the rule applies to inbound or outbound traffic.
- Port Range:	An individual port or range of ports.
- **Action:	Allow or Deny.**

#### Describe Application Security Groups (ASG)

**Application security groups (ASG)**  enable you to configure network security as **a natural extension of an application's (ex: VM) structure**, allowing you to **group virtual machines** and define network security policies based on those groups. This feature allows you to reuse your security policy at scale without manual maintenance of explicit IP addresses.


[Examples with Virtual Network](https://docs.microsoft.com/en-us/learn/modules/secure-network-connectivity/7-define-application-security-groups)

[Example with Virtual Network and Network interface](https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups) 
    
- A network interface can be a member of multiple application security groups, up to the Azure limits. None of the network interfaces have an associated network security group.

**Note: ASG lives *within* a *virtual network* and is used to group *network interface*, which is tied to *an application (ex: VM).***

*Note: Be clear about the definition and relationship of*

- VM (application), network interface (tied to an application), and application security group
- virtual network (connection between resources) and network security group (network traffic filter for a virtuan network) 

#### Describe User Defined Rules (UDR)


#### Describe Azure Firewall

A Firewall is a service that grants **server access** based on the originating IP address of each request. You create firewall rules that **specify ranges of IP addresses**. **Azure Firewall**  is a managed, cloud-based, network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

You can create, enforce, and log application and network connectivity policies across subscriptions, and virtual networks, centrally. Azure Firewall uses a static public IP address for your virtual network resources, which allows outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.

- Usage Scenarios

    You typically deploy Azure Firewall on a central **virtual network** to control general network access. With Azure Firewall you can configure:

    - Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
    - Network rules that define source address, protocol, destination port, and destination address.

***[Important Note!] Azure Application Gateway also provides a firewall, called the Web Application Firewall (WAF). WAF provides centralized, inbound protection for your web applications against common exploits and vulnerabilities.***

***[Importane Note Again]*** 
- *Azure Virtual Network (VNet) + VPN Gateway + Azure Firewall*
- *Azure VNet + Application Gateway + Web Application Firewall WAF + Azure Firewall*


#### Describe Azure DDoS Protection

Distributed Denial of Service (DDoS)  attacks attempt to overwhelm and exhaust an application’s resources, making the application slow or unresponsive to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Thus, any resource exposed to the internet, such as a website, is potentially at risk from a DDoS attack.
    
When you combine **Azure DDoS Protection** with application design best practices, you help provide defense against DDoS attacks. The Azure DDoS Protection service protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service's availability.

**Azure DDoS Protection provides the following service tiers**:

- **Basic.** The Basic service tier is **automatically enabled** as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. Azure’s global network is used to distribute and mitigate attack traffic across regions.

- **Standard.** The Standard service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS Protection Standard is simple to enable and requires no application changes. **Protection policies are tuned** through dedicated traffic monitoring and machine learning algorithms. *Policies are applied to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.*
    
    
#### Choose an appropriate Azure security solution

##### Perimeter layer

The network perimeter layer is about protecting organizations from **network-based attacks** against your resources. Identifying these attacks, alerting, and eliminating their impact is important to keep your network secure. To do this:

- Use **Azure DDoS Protection** to filter large-scale attacks before they can cause a denial of service for end users.
- Use perimeter firewalls with **Azure Firewall** to identify and alert on malicious attacks against your network.


##### Network layer

At this layer, the focus is on **limiting network connectivity across all your resources** to only allow what is required. Segment your resources and use network-level controls to restrict communication to only what is needed. By restricting connectivity, you reduce the risk of lateral movement throughout your network from an attack. Use **NSGs** to create rules about inbound and outbound communication at this layer.


##### Combine services

You can also combine multiple Azure networking and security services to **manage your network security and provide increased layered protection**. The following are examples of combined services:

- **Network security groups and Azure Firewall.** *Azure Firewall complements network security group functionality.* Together, they provide better defense-in-depth network security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network ***firewall-as-a-service***, which provides network and application-level protection across different subscriptions and virtual networks.

- **Application Gateway WAF and Azure Firewall.** WAF is a feature of Application Gateway that provides your web applications with centralized, inbound protection *against common exploits and vulnerabilities*. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S. Combining both provides additional layers of protection.

### Describe core Azure Identity services
#### Describe the difference between authentication and authorization

**Authentication** is the process of **establishing the identity** of a person or service looking to access a resource. It establishes if they are who they say they are.
    
**Authorization** is the process of establishing what level of access an authenticated person or service has.
    

#### Describe Azure Active Directory

**Azure Active Directory** is a Microsoft cloud-based **identity and access management service**. Azure AD helps employees of an organization **sign in and access resources**:
- **External resources** might include Microsoft 365, the Azure portal, and thousands of other software as a service (***SaaS***) applications.
- **Internal resources** might include apps on your corporate network and intranet, along with any cloud apps developed by your own organization.


#### Describe Azure Multi-Factor Authentication

**Azure Multi-Factor Authentication** provides additional security for your identities by requiring **two or more** elements for full authentication. These elements fall into three categories:
- **Something you know** could be a password or the answer to a security question.
- **Something you possess** might be a mobile app that receives a notification, or a token-generating device.
- **Something you are** is typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices.
    
Multi-factor authentication (MFA) comes as part of the following Azure service offerings:

- Azure Active Directory premium licenses. These licenses provide full-featured use of Azure Multi-Factor Authentication Service (cloud) or Azure Multi-Factor Authentication Server (on-premises).
- Multi-factor authentication for Microsoft 365. A subset of Azure Multi-Factor Authentication capabilities is available as a part of your Microsoft 365 subscription.
- Azure Active Directory global administrators. Because global administrator accounts are highly sensitive, a subset of Azure Multi-Factor Authentication capabilities are available to protect these accounts.


### Describe security tools and features of Azure
#### Describe Azure Security Center

**Azure Security Center** is a **monitoring service** that provides threat protection across all of your services both in Azure, and on-premises. Security Center can:

- **Provide security recommendations** based on your configurations, resources, and networks.
- **Monitor security settings across on-premises and cloud workloads**, and **automatically apply required security** to new services as they come online.
- Continuously monitor all your services and **perform automatic security assessments** to identify potential vulnerabilities before they can be exploited.
- **Use machine learning to detect and block malware** from being installed on your virtual machines and services. You can also define a list of allowed applications to ensure that only the apps you validate can execute.
- **Analyze and identify potential inbound attacks** and help to investigate threats and any post-breach activity that might have occurred.
- **Provide just-in-time access control for ports**, reducing your attack surface by ensuring the network only allows traffic that you require.

Azure Security Center is available in two tiers:

- **Free. Available as part of your Azure subscription**, this tier is limited to assessments and recommendations of ***Azure resources only***.
- **Standard.** This tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more.

#### Describe Azure Security Center usage scenarios

- Example 1 - Use Security Center for an **incident response**
        
Many organizations learn how to respond to security incidents only after suffering an attack. To reduce costs and damage, it’s standard to have an **incident response plan** in place before an attack occurs. You can use Azure Security Center in different stages of an incident response. You can use Security Center during the **detect, assess, and diagnose** stages.

- Example 2 - Use Security Center **recommendations to enhance security**
    
A **security policy** defines the set of controls that are recommended for resources within that specified subscription or resource group. In Security Center, you define policies according to your company's security requirements.
        
Security Center analyzes the security state of your Azure resources. When Security Center identifies potential security vulnerabilities, it **creates recommendations based on the controls set in the security policy**. The recommendations guide you through the process of configuring the needed security controls.
    

#### Describe Key Vault

**Azure Key Vault** is a centralized cloud service for storing your **applications' secrets**. Key Vault helps you control your applications' secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.

Usage scenarios

- **Secrets management.** You can use Key Vault to securely store and tightly control **access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets**.
- **Key management.** You also can use Key Vault as a key management solution. Key Vault makes it easier to create and control the **encryption keys** used to encrypt your data.
- **Certificate management.** Key Vault lets you provision, manage, and deploy your public and private **Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates** for your Azure, and internally connected, resources more easily.
- **Store secrets backed by hardware security modules (HSMs).** The secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs.

#### Describe Azure Information Protection (AIP)

**Azure Information Protection** is a cloud-based solution that helps organizations **classify and (optionally) protect its documents and emails** by applying ***labels***. Labels can be applied automatically (by administrators who define rules and conditions), manually (by users), or with a combination of both (where users are guided by recommendations). After your content is classified (and optionally protected), you can then track and control how the content is used.


#### Describe Azure Advanced Threat Protection (ATP)

**Azure Advanced Threat Protection** is a cloud-based security solution that **identifies, detects, and helps you investigate** advanced threats, compromised identities, and malicious insider actions directed at your organization.

- Identify suspicious user and device activity with both **known-technique detection and behavioral analytics**
- Analyze **threat intelligence** from the cloud and on-premises
- Protect user identities and credentials stored in **Active Directory**
- View clear **attack information** on a simple timeline for fast triage
- Monitor **multiple entry points** through integration with Windows Defender Advanced Threat Protection

### [IMPORTANT!!] Describe Azure governance methodologies

*Good **IT governance** involves planning your initiatives and setting priorities on a strategic level to help manage and prevent issues.*

#### Describe policies and initiatives with Azure Policy

**Azure Policy** is a service in Azure that you use to create, assign, and, manage policies. These policies enforce different **rules and effects over your resources**, so those resources **stay compliant with your corporate standards and service-level agreements (SLAs)**.

Azure Policy does this by using policies and initiatives. It runs evaluations of your resources and scans for those not compliant with the policies you have created. For example, you can have a policy to allow only a certain stock keeping unit (SKU) size of virtual machines (VMs) in your environment. *Once you implement this policy, it will **evaluate resources** when you create new ones or update existing ones. It will also evaluate your existing resources.*

Azure Policy comes with a number of built-in policy and initiative definitions that you can use, under categories such as **Storage, Networking, Compute, Security Center, and Monitoring**.

Azure Policy can also integrate with **Azure DevOps**, by applying any continuous integration and delivery pipeline policies that apply to the pre-deployment and post-deployment of your applications.

Azure Policy also can **automatically remediate resources and configurations that are deemed non-compliant**, thus ensuring the integrity of the state of the resources.

There are three steps to creating and implementing an Azure policy.

- **Create a policy definition**: A policy definition expresses what to evaluate and what action to take. For example, you could prevent VMs from being deployed if they are exposed to a public IP address.

- **Assign a definition to a scope of resources**: To implement your policy definitions, you **assign them to resources**. A policy assignment is a policy definition that has been assigned to take place within a specific scope. This specific scope could range from a management group to a resource group. **Policy assignments are inherited by all child resources.** This means that if a policy is applied to a resource group, it is applied to all the resources within that resource group. However, you can exclude a subscope from the policy assignment.

- **Review the policy evaluation results**: When a condition is evaluated against your existing resources it is marked *compliant or non-compliant*. You can review the non-compliant policy results and take any action that is needed.

An **initiative definition** is **a set of policy definitions** to help track your compliance state for a larger goal. Like a policy assignment, an initiative assignment is an initiative definition assigned to a specific scope. **Initiative assignments** reduce the need to make several initiative definitions for each scope. This scope could also range from a management group to a resource group. 

You can define initiatives using the Azure portal, or command-line tools. In the portal, you use the "Authoring" section.

**Policy evaluation happens about once an hour.**


#### Describe Role-Based Access Control (RBAC)

**[Azure RBAC](https://docs.microsoft.com/en-us/azure/role-based-access-control/overview)** is an authorization system built on [Azure Resource Manager](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview) that provides fine-grained access management of Azure resources, enabling you to grant users only the rights they need to perform their jobs.

To view access permissions, access the **Access Control (IAM)** ***blade (on the side)*** in the Azure portal. This blade, shows who has access to an area and their role. Using this same blade, you can also grant or remove access.

- **Azure Resource Manager** is the **deployment and management service** for Azure. It provides **a management layer** that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment.

- To learn about **[Azure Resource Manager templates](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview)**, see Template deployment overview.

    To implement infrastructure as code for your Azure solutions, use Azure Resource Manager (ARM) templates. **The template is a JavaScript Object Notation (JSON) file** that defines the infrastructure and configuration for your project. The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it. In the template, you specify the resources to deploy and the properties for those resources.

    When you deploy a template, Resource Manager converts the template into REST API operations.


#### Describe Locks

**Resource locks** help you prevent accidental deletion or modification of your Azure resources. You can set the lock level to **CanNotDelete** (can still modify) or **ReadOnly**.

To add a lock to a resource:

1. You can apply a lock to a subscription, resource group, or individual resource to prevent accidental deletion or modification of critical resources.

2. In the Settings section, click Locks, and then click + Add.



#### Describe Azure Advisor security assistance


#### [Describe Azure Blueprints](https://azure.microsoft.com/en-us/services/blueprints/)

Simplify largescale Azure deployments by **packaging key environment artifacts**, such as **Azure Resource Manager templates, role-based access controls, resource groups, and policies**, in a single blueprint definition. *Easily apply the blueprint to new subscriptions and environments, and fine-tune control and management through versioning.*

**Azure Blueprints** enable cloud architects to define a repeatable set of Azure resources that implement and adhere to an organization's standards, patterns, and requirements. Azure Blueprint enables development teams to rapidly build and deploy new environments with the knowledge that they're building **within organizational compliance** with a set of built-in components that speed up development and delivery.

Azure Blueprints and other Azure governance services are free for managing Azure services

The process of implementing Azure Blueprint consists of the following high-level steps:

1. Create an Azure Blueprint.
2. Assign the blueprint.
3. Track the blueprint assignments.

##### Azlure Blueprints vs. Azure Resource Manager Templates

Azure Blueprints are different from Azure Resource Manager Templates. When Azure Resource Manager Templates deploy resources, they have no active relationship with the deployed resources (they exist in a local environment or in source control). By contrast, with Azure Blueprint, each deployment is tied to an Azure Blueprint package. **This means that the relationship with resources will be maintained, even after deployment. Maintaining relationships, in this way, improves auditing and tracking capabilities.**

#### Define Subscription Governance

There are mainly three aspects to consider in relation to creating and managing subscriptions: **Billing, Access Control, and [Subscription limits](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits)**.

If you want to raise the limit or quota above the default limit, **open an online customer support request at no charge**. The terms soft limit and hard limit often are used informally to describe the current, adjustable limit (soft limit) and the maximum limit (hard limit). If a limit isn't adjustable, there won't be a soft limit, only a hard limit.

### [IMPORTANT!!] Explore Monitoring and Reporting

Once you have started building out solutions on Azure, you need to be able to monitor your resources to make sure they are responsive and performing properly. Azure provides several built-in features to **track and analyze your resource utilization and performance**.


#### Describe monitoring and reporting options in Azure

You apply **tags** to your Azure resources giving metadata to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name Environment and the value Production to all the resources in production, or tag by company departments. For example, the name of Department with a value of IT.

After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Tags enable you to retrieve related resources from different resource groups. This approach is helpful when you need to organize resources for billing or management.


#### Describe Azure Monitor

**[Azure Monitor (Video)](https://docs.microsoft.com/en-us/azure/azure-monitor/overview)** maximizes the availability and performance of your applications by delivering a comprehensive solution for **collecting, analyzing, and acting on telemetry from your cloud and on-premises environments**. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.

Azure Monitor can collect data from a variety of sources. You can think of monitoring data for your applications in tiers ranging from your application, any operating system and services it relies on, down to the platform itself.

As soon as you create an Azure subscription and start adding resources such as virtual machines and web apps, Azure Monitor starts collecting data.

- **Activity Logs** record when resources are created or modified.
- **Metrics** tell you how the resource is performing and the resources that it's consuming.

Azure Monitor features can be organized into four categories, these categories are: **Analyze, Respond, Visualize and Integrate**.

- Analyze
    - Application Insights
    - Azure Monitor for containers
    - Azure monitor for VMs
    
- Respond
    - **Alerts.** Azure Monitor proactively notifies you of critical conditions using Alerts and can potentially attempt to take corrective actions. Alert rules based on **metrics** can provide alerts in almost real-time, based on numeric values. Alert rules based on **logs** allow for complex logic across data, from multiple sources.
    - **Autoscale.** Azure Monitor uses Autoscale to ensure that you have the right amount of resources running to manage the load on your application effectively. Autoscale enables you to **create rules that use metrics, collected by Azure Monitor, to determine when to automatically add resources to handle increases in load**. Autoscale can also help reduce your Azure costs by removing resources that are not being used. You can specify a minimum and maximum number of instances and provide the logic that determines when Autoscale should increase or decrease resources.

- Visualize
    - Dashboards
    - Views
    - Power BI
    
- Integrate



#### Describe Azure Service Health

**[Azure Service Health (Video)](https://docs.microsoft.com/en-us/azure/service-health/overview)** is a suite of experiences that provide personalized guidance and support **when issues with Azure services affect you**. It can **notify you, help you understand the impact of issues, and keep you updated as the issue is resolved**. Azure Service Health can also help you **prepare for planned maintenance and changes** that could affect the availability of your resources.

Azure Service Health is composed of the following:
- **Azure Status** provides a global view of the health state of Azure services.
- **Service Health** tracks the state of your Azure services
- **Resource Health**: In contrast to Azure Status, which informs you about service problems that affect a broad set of Azure customers, Resource Health gives you a personalized dashboard of your resources' health.


#### Describe the use cases and benefits of Azure Monitor and Azure Service Health


### Describe privacy, compliance and data protection standards in Azure
#### Describe industry compliance terms such as GDPR, ISO and NIST

**National Institute of Standards and Technology (NIST)** Cybersecurity Framework (CSF). NIST CSF is a voluntary Framework that consists of standards, guidelines, and best practices to manage **cybersecurity-related risks**. 


#### Describe the Microsoft Privacy Statement

**The Microsoft privacy statement** explains what **personal data** Microsoft processes, how Microsoft processes it, and for what purposes.


#### Describe the Trust center

**The Trust Center** is a **website resource** containing information and details about **how Microsoft implements and supports** security, privacy, compliance, and transparency in all Microsoft cloud products and services. 


#### Describe the Service Trust Portal

**The Service Trust Portal (STP)** hosts the **Compliance Manager service**, and is the Microsoft public site for **publishing audit reports and other compliance-related information** relevant to Microsoft’s cloud services. Service Trust Portal users can download audit reports produced by external auditors and gain insight from Microsoft-authored reports that provide details on how Microsoft builds and operates its cloud services.


#### Describe Compliance Manager

**Compliance Manager** is a **workflow-based risk assessment *dashboard* within the Trust Portal** that enables you to **track, assign, and verify** your organization's **regulatory compliance activities** related to Microsoft professional services and Microsoft cloud services such as Microsoft 365, Dynamics 365, and Azure.

Compliance Manager is a dashboard that provides a summary of your data protection and compliance stature, and recommendations to improve data protection and compliance.

#### Determine if Azure is compliant for a business need


#### Decribe Azure Government cloud services

**Azure Government** is a separate instance of the Microsoft Azure service. It addresses the security and compliance needs of US federal agencies, state and local governments, and their solution providers. Azure Government offers physical isolation from non-US government deployments and provides screened US personnel. Azure Government services handle data that is subject to certain government regulations and requirements


#### Describe Azure China cloud services


## PART 4: Describe Azure Pricing, Service Level Agreements, and Lifecycles (20-25%)

### Describe Azure subscriptions
#### Describe an Azure Subscription

Using Azure requires an Azure subscription which **provides you with authenticated and authorized access** to Azure products and services and **allows you to provision resources**. An Azure subscription is **a logical unit of Azure services** that links to an Azure account, which is an identity in Azure Active Directory (Azure AD) or in a directory that an Azure AD trusts.

An account can have one subscription or multiple subscriptions that have different billing models and to which you apply different access-management policies. You can use Azure subscriptions to **define boundaries (billing boundary or access control boundary)** around Azure products, services, and resources. 

If you have multiple subscriptions, you can organize them into **invoice sections**. Each invoice section is a line item on the invoice that shows the charges incurred that month.

- Billing Account > Billing Profiles (tied to invoice and payment method) > Invoice Section > Azure Subscription

    
#### Describe the uses and options with Azure subscriptions such access control and offer types

- A free account: Get started with 12 months of popular free services, a credit to explore any Azure service for 30 days, and 25+ services that are always free. Your Azure services are disabled when the trial ends or when your credit expires for paid products, unless you upgrade to a paid subscription.

- Which products are always free:
    - Azure Cosmos DB - 400 RU/s, App Service - 10, Functions - 1M, Event Grid - 100K, Azure Kubernetes Service, DevTest Labs, Azure Active Directory, Service Fabric, Azure DevOps - 5, Security Center, Advisor, Load Balancer, Data Factory - 5, Search - 10K, notification Hubs - 1M, Batch, Automation - 500 minutes, Data Catalog, Virtual Network - 50, Inter-VNET data transfer - Inbound only, Bandwidth (Data Transfer) - 5GB, Visual Studio Code, Machine Learning Server, SQL Server 2017 Developer Edition

- Pay-As-You-Go
- Member offer


#### Describe subscription management using Management groups

The organizing structure for **resources** in Azure has four levels: **management groups, subscriptions, resource groups, and resources**. 

**Management groups:** These are containers that help you manage access, policy, and compliance for multiple subscriptions. All subscriptions in a management group **automatically inherit** the conditions applied to the management group.

- [Hierachy Example and Azure Role Name](https://docs.microsoft.com/en-us/azure/governance/management-groups/overview)

**Subscriptions:** A subscription groups together **user accounts** and the **resources** that have been created by those user accounts. For each subscription, there are limits or quotas on the amount of resources you can create and use. Organizations can use subscriptions to manage costs and the resources that are created by users, teams, or projects.

### Describe planning and management of costs
#### Describe options for purchasing Azure products and services

There are three main customer types on which the available purchasing options for Azure products and services is contingent, including:
    
- **Enterprise**. Enterprise customers sign an **Enterprise Agreement** with Azure that commits them to spending a **negotiated amount** on Azure services, which they typically pay **annually**. Enterprise customers also have access to customized Azure pricing.
    
- **Web direct**. Web direct customers pay **public prices** for Azure resources, and their **monthly** billing and payments occur through the Azure website.
    
-  **Cloud Solution Provider**. Cloud Solution Provider (CSP) typically are **Microsoft partner companies that a customer hires** to build solutions on top of Azure. Payment and billing for Azure usage occurs through the customer's CSP.



#### Describe options around Azure Free account


#### Describe the factors affecting costs such as resource types, services, locations, ingress and egress traffic

- Resource Type
    
    Costs are resource-specific, so the usage that a meter tracks and the number of meters associated with a resource depend on the resource type.
    
    Each meter tracks a specific type of usage. For example, a meter might track bandwidth usage (ingress or egress network traffic in bits-per-second), number of operations, size (storage capacity in bytes), or similar items.
    
    
- Service
    
    Azure usage rates and billing periods can differ between Enterprise, Web Direct, and Cloud Solution Provider (CSP) customers. Some subscription types also include usage allowances, which affect costs.
    
    
- Location

    The Azure infrastructure is globally distributed, and usage costs might vary between locations that offer Azure products, services, and resources.
    
    

#### Describe Zones for billing purposes

**Billing zones** help **determine the cost of services you are using**.

**Bandwidth** refers to data moving in and out of Azure datacenters. Some inbound data transfers, such as data going into Azure datacenters, are free. For outbound data transfers, such as data going out of Azure datacenters, **data transfer pricing is based on Zones**.

A Zone is a **geographical grouping of Azure Regions** for billing purposes. The following Zones exist and include the sample regions as listed below:

- Zone 1 – West US, East US, Canada West, West Europe, France Central and others

- Zone 2 – Australia Central, Japan West, Central India, Korea South and others

- Zone 3 - Brazil South

- DE Zone 1 - Germany Central, Germany Northeast

To avoid confusion, be aware that a *Zone for billing purposes* is not the same as an *Availability Zone*. In Azure, the term ***Zone is for billing purposes only***, and the full-term ***Availability Zone refers to the failure protection*** that Azure provides for datacenters.


#### Describe the Pricing calculator

The **Pricing Calculator**  is a tool that helps you estimate the cost of Azure products.
    

#### Describe the Total Cost of Ownership (TCO) calculator

The **Total Cost of Ownership Calculator**  is a tool that you use to estimate cost savings you can realize by migrating to Azure.
    
Enter details about your on-premises infrastructure into the TCO calculator according to four groups:

- Servers. Enter details of your current on-premises server infrastructure.
- Databases. Enter details of your on-premises database infrastructure in the Source section. In the Destination section, select the corresponding Azure service you would like to use.
- Storage. Enter the details of your on-premises storage infrastructure.
- Networking. Enter the amount of network bandwidth you currently consume in your on-premises environment.

#### [Describe best practices for minimizing Azure costs such as performing cost analysis, creating spending limits and quotas, using tags to identify cost owners, using Azure reservations and using Azure Advisor recommendations](https://docs.microsoft.com/en-us/learn/modules/review-planning-managing-costs/9-explore-minimizing-costs)


#### Describe Azure Cost Management

**Cost Management** is an Azure product that provides a set of tools for monitoring, allocating, and optimizing your Azure costs. (It is a feature on Azure Portal.)


### Describe Azure Service Level Agreements (SLAs)
#### Describe a Service Level Agreement (SLA)

Formal documents known as **Service-Level Agreements (SLAs)** capture the specific terms that **define the performance standards** that apply to Azure. There are SLAs for individual Azure products and services.

A SLA  defines **performance targets** for an Azure product or service. The performance targets that a SLA defines are specific to each Azure product and service. 
    
A typical SLA specifics **performance-target commitments** that range from **99.9 percent ("three nines") to 99.99 percent ("four nines")**, for each corresponding Azure product or service.

- Service Credits

  SLAs also describe how Microsoft will respond if an Azure product or service fails to perform to its governing SLA's specification.

  For example, customers may have a discount applied to their Azure bill, as compensation for an under-performing Azure product or service.

***Azure does not provide SLAs for many services under the Free or Shared tiers. Also, free products such as Azure Advisor do not typically have a SLA.***

#### Describe Composite SLAs

When combining SLAs across different service offerings, the resultant SLA is a called a **Composite SLA**. The resulting composite SLA can provide higher or lower uptime values, depending on your application architecture.
    
You can improve the composite SLA by creating **independent fallback paths**. There are tradeoffs to using this approach such as, the application logic is more complex, you are paying for the queue, and there may be data-consistency issues which you need to consider.
    

#### Describe how to determine an appropriate SLA for an application

When creating an Application SLA consider the following:
    
- **Identify workloads**. A workload is a distinct capability or task that is logically separated from other tasks, in terms of business logic and data storage requirements. To ensure that application architecture meets your business requirements, define **target SLAs** for each workload.
    
- **Plan for usage patterns**. To ensure uptime, **plan redundancy across several regions** in case one fails. Conversely, to minimize costs during non-critical periods, you can run your application in a single region.
    
- **Establish availability metrics** — mean time to recovery (MTTR) and mean time between failures (MTBF).
    
- **Establish recovery metrics** — recovery time objective (RTO) and recovery point objective (RPO). RTO is the maximum acceptable time an application can be unavailable after an incident. RPO is the maximum duration of data loss that is acceptable during a disaster. To derive these values, conduct a risk assessment and make sure you understand the cost and risk of downtime or data loss in your organization.
    
- **Implement resiliency strategies**. Resiliency is the ability of a system to recover from failures and continue to function.
    
- **Build availability requirements into your design**. Availability is the proportion of time your system is functional and working.
    

#### Knowledge check:
    
- Deploying an app can be done directly to what level of physical granularity? Region


### Describe service lifecycle in Azure
#### Describe Public and Private Preview features

With **Azure Previews**, you can test pre-release features, products, services, software, and even regions. There are two categories of preview that are available:
- **Private preview** - An Azure feature is available to **certain Azure customers** for evaluation purposes.
- **Public preview** - An Azure feature is available to **all Azure customers** for evaluation purposes.

***Azure feature previews are available with their own terms and conditions. The terms and conditions are specific to each Azure preview. All preview-specific terms and conditions supplement your existing Azure service agreement.***

- Some previews aren't covered by customer support.



#### Describe the term General Availability (GA)

Once a feature is evaluated and tested successfully, it may release to customers as part of Azure. In other words, the feature may be made available for all Azure customers. A feature released to all Azure customers typically goes to **General Availability or GA**.
    

#### Describe how to monitor feature updates and product changes

Go to the **Azure updates** (https://azure.microsoft.com/en-us/updates/) page for information about the latest updates to Azure products, services, and features, as well as product roadmaps and announcements.

From the Azure updates page, you can:

- View details about all Azure updates.
- See which updates are in general availability, Preview, or Development.
- Browse updates by product category or update type, by using the provided dropdown lists.
- Search for updates by keyword by entering search terms into a text-entry field.
- Subscribe to get Azure update notifications by RSS.
- Access the Microsoft Connect page to read Azure product news and announcements.