# AZ-900 - MICROSOFT AZURE FUNDAMENTALS
---

# A) EXAM GOAL: Describe Cloud Concepts (20-25%)
---

# A1) Identify the Benefits and Considerations of Using Cloud Services
---

Identify the benefits and considerations of using cloud services:

 * Identify the benefits of cloud computing, such as High Availability, Scalability, Elasticity, Agility, and Disaster Recovery.
 * Identify the differences between Capital Expenditure (CapEx) and Operational Expenditure (OpEx).
 * Describe the consumption-based model.

# Benefits of Cloud Computing
---

## High Availability (HA)

High Availability is the ability of a system to respond to users for long periods of time. It is expressed as a percentage, e.g., $99.99$% (four minutes of downtime per month).

What High Availability is _not_:

 * Backup or Disaster Recovery
 * High Performance
 * Load Balancing

## Reliability

Depending on the service-level agreement chosen, cloud-based applications can provide a continuous user experience with no apparent downtime even when things go wrong.

## Scalability

Scalability, or Scaling Up, is the ability of a system to handle growth of users or work by increasing the workload on the existing resources.

Applications in the cloud can be scaled in two ways, while taking advantage of autoscaling:

 * Vertically: Computing capacity can be increased by adding RAM or CPUs to a virtual machine.
 * Horizontally: Computing capacity can be increased by adding instances of a resource, such as adding more virtual machines to a configuration.

## Elasticity

Elasticity is the ability of a system to automatically grow (Scaling Out) and shrink (Scaling In) based on application demand by increasing the workload on additional resources.

## Agility

Agility is the ability of a system to change rapidly based on changes to market or environment, for example, being able to provision or decommission cloud services in minutes using self-service.

## Geo-distribution

Applications and data can be deployed to regional datacenters around the globe, so that customers always have the best performance in their region.

## Disaster Recovery

Disaster recovery is the ability of a system to recover from failure within a period of time, and how much data is lost, for example, by supporting backups of virtual machines or SQL databases.

# CapEx vs Opex
---

## Capital Expenditure (CapEx)

CapEx is money invested in assets (like computers) that return investment over time. CapEx is usually associated with on-premises infrastructure. In the CapEx model, companies pay for their infrastructure upfront costs. These costs can include servers, storage, networking, backup, personnel, etc.

CapEx provides predictable fixed costs, but the value invested decreases over time. Also, when a project is over, there may be wasted resources.

## Operational Expenditure (OpEx)

OpEx is money spent every day on operating expenses. As an on-going cost, Opex is associated with cloud services, usually assuming the form of a subscription, where customers pay for the product or service as they use it.

Opex offers several benefits, for example, customers can test the cloud services before committing (aka "try-before-buy"). Another benefit is to only pay for less or more resources when and for how long those are needed. As cloud services offer the possibility to delete a resource when a task is done, Opex is great for agile environmnets where demand is unpredictable.

# Consumption-Based Model
---

Consumption-Based model is when the resources are paid per minute, hour, or execution. It is the model used by cloud service providers.

When using the consumption-based model:

 * Customers only pay for what they consume.
 * There are no upfront costs.
 * Stop paying for services no longer required.

# A2) Describe The Diferences Between Categories of Cloud Services
---

 * Describe the Shared Responsibility Model.
 * Describe Infrastructure-as-a-Service (IaaS).
 * Describe Platform-as-a-Service (PaaS).
 * Describe Serverless Computing.
 * Describe Software-as-a-Service (SaaS).
 * Identify a service type based on a use case.

# Categories of Cloud Services
---

![IaaS, PaaS and SaaS](images\iaas_paas_saas.png "IaaS, PaaS and SaaS")

## Infrastructure-as-a-Service (IaaS)

Infrastructure-as-a-Service includes virtual machines, networking, load balancers, and firewalls, etc., generally everything that has a physical representation in the network and can be virtualized and offered as a service by the cloud provider.

This cloud service model is the closest to managing physical servers. A cloud provider keeps the hardware up to date, but operating system maintenance and network configuration is left to the cloud tenant. For example, Azure virtual machines are fully operational virtual compute devices running in Microsoft's datacenters. An advantage of this cloud service model is rapid deployment of new compute devices. Setting up a new virtual machine is considerably faster than procuring, installing, and configuring a physical server.

## Platform-as-a-Service (PaaS)

Platform-as-a-Service includes pre-built services that can be executed remotely, without the customers having access to the underlying hardware.

This cloud service model is a managed hosting environment. The cloud provider manages the virtual machines and networking resources, and the cloud tenant deploys their applications into the managed hosting environment. For example, Azure App Services provides a managed hosting environment where developers can upload their web applications without having to deal with the physical hardware and software requirements.

## Software-as-a-Service (SaaS)

Software-as-a-Service is software installed in a cloud server that the customer can access remotely using a browser. When using SaaS, the customer is only allowed to access and change the software configuration, he is not allowed to upload new code or change the existing.

In this cloud service model, the cloud provider manages all aspects of the application environment, such as virtual machines, networking resources, data storage, and applications. The cloud tenant only needs to provide their data to the application managed by the cloud provider. For example, Office 365 provides a fully working version of Office that runs in the cloud. All that you need to do is create your content, and Office 365 takes care of everything else.

## Shared Responsibility Model

In a shared responsiility model, the workload responsibilities vary depending on whether the workload is hosted on Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or in an on-premises datacenter.

![Shared Responsibility Model](images\shared_responsibility_model.png "Shared Responsibility Model")

## Serverless Model

Serverless Model refers to code that runs in stateless compute containers that are event-triggered, ephemeral (may only last for one invocation), and are fully managed by the cloud provider. When using the serverless model, the customer does not have to worry about choosing the best plan, or scaling costs. Also, the customer will not pay anything when he is not using the service.

![Serverless Model](images\serverless.png "Serverless Model")

Azure serverless offers include:

 * Compute: Azure Functions.
 * Compute: Serverless Kubernetes (Virtual Nodes w/ ACI).
 * Database: Azure SQL Database Serverless.
 * Database: Cosmos DB Serverless.

# Cloud Types
---

![Cloud Types](images\cloud_types.png "Cloud Types")

## Private Cloud

Computing resources are used exclusively by users from one business or organization. A private cloud can be physically located at your organization's on-site datacenter. It also can be hosted by a third-party service provider.

The private cloud looks and acts like a cloud, except customer owns or leases or has exclusive access to the hardware.

## Public Cloud

Services are offered over the public internet and available to anyone who wants to purchase them. Cloud resources like servers and storage are owned and operated by a third-party cloud service provider and delivered over the internet.

In Azure public cloud, Microsoft is the cloud provider and owns all the cloud hardware, which runs in Microsoft's network and infrastructure.

## Hybrid Cloud

This computing environment combines a public cloud and a private cloud by allowing data and applications to be shared between them.

An hybrid cloud is a combination of public and private clouds, allowing to scale a private infrastructure to the cloud.

# B) EXAM GOAL: Describe Core Azure Services (15-20%)
---

# B1) Describe The Core Azure Architectural Components
---

 * Describe the benefits and usage of Regions and Region Pairs.
 * Describe the benefits and usage of Availability Zones.
 * Describe the benefits and usage of Resource Groups.
 * Describe the benefits and usage of Subscriptions.
 * Describe the benefits and usage of Management Groups.
 * Describe the benefits and usage of Azure Resource Manager.
 * Explain Azure resources.

# Core Azure Architectural Components
---

## Region

Azure regions are the geographical locations where the resources exist. There are currently over 60 regions. Not all the regions are accessible by everyone.

![Azure Regions](images\regions.png "Azure regions")

## Region Pair

Each region has one other region, which is treated as its pair. To comply with data storage laws, this other region is almost always in the same geography. The data connection between region pairs is the highest speed available. Azure software rollouts are deployed to one region of a pair and the other is not touched. If multiple regions go down, one region of each pair is treated as a priority.

![Region Pair](images\region_pair.png "Region Pair")

## Availability Zone

Azure Availability Zones are physically and logically separated datacenters with their own independent power source, network, and cooling. Connected with an extremely low-latency network, they become a building block to delivering high availability applications. Availability Zones ensure that if there's an event impacting a datacenter site, for example, if someone cuts the power, or there are issues with cooling, customers' data will be protected.

Not all regions have Availability Zones. In the regions where Availability Zones exist, there are 3 availability zones per region. Availability Zones is an optional service.

![Azure Availability Zones](images\availability_zone.png "Azure availability zones")

## Availability Set

An Availability Set ensures that a virtual machine is online during maintenance or failure. When the virtual machine is added to an availability set, the virtual machine is assigned to an update domain and a fault domain. The reason of assigning the VM to an update domain is because only one update domain is updated at a time. The fault domains provide physical isolation hardware in the data center.

![Azure Availability Sets](images\availability_set.png "Azure availability sets")

## Resource Group

An Azure resource group is a logical container where Azure resources are created. That container groups a collection of resources to enable easy monitoring, automatic provisioning, etc. A resource group created in a specific region can contain the resources created in the other regions.

## Subscription

An Azure subscription is a billing unit. A user can have access to one or more subscriptions, with different roles. Whenever a resource is created, the user needs to select the subscription that will be charged by the consumption of that resource. It is ok, and recommended, that users organize sets of resources that need to be charged separetely into different subscriptions, even when the different subscriptions are using the same credit card.

A subscription also provides an access control boundary. When using subscriptions to separate consumption from different organizational departments, those departments will only be able to access the resources that exist within their respective subscriptions. 

![Azure Subscriptions](images\subscriptions.png "Azure subscriptions")

## Management Group

Azure management groups provide a level of scope above subscriptions. Subscriptions are organized into containers called "management groups" and users can apply their governance conditions to those management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group. Management groups give users  enterprise-grade management at a large scale no matter what type of subscriptions they might have. All subscriptions within a single management group must trust the same Azure Active Directory tenant.

![Azure Management Groups](images\management_group.png "Azure management groups")

# Azure Resources and Azure Resource Manager
---

## Resource

An Azure resource is a manageable item that is available through Azure. Virtual machines, storage accounts, web apps, databases, and virtual networks are examples of resources. Resource groups, subscriptions, management groups, and tags are also examples of resources.

## Resource Group

An Azure Resource Group is a container that holds related resources for an Azure solution. The resource group includes those resources that users want to manage as a group. Users decide which resources belong in a resource group based on what makes the most sense for their organizations.

## Resource Manager

Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables users to create, update, and delete resources in their Azure accounts. When a user sends a request from any of the Azure tools, APIs, or SDKs, Resource Manager receives the request. It authenticates and authorizes the request. Resource Manager sends the request to the Azure service, which takes the requested action. To ensure consistent results and capabilities in all the different tools, all requests are handled through the same API.

![Azure resource Manager](images\resource_manager.png "Azure resource manager")

# B2) Describe The Core Resources Available In Azure
---

 * Describe the benefits and usage of Virtual Machines, Azure App Services, Azure Container Instances (ACI), Azure  Kubernetes Service (AKS), and Windows Virtual Desktop.
 * Describe the benefits and usage of Virtual Networks, VPN Gateway, Virtual Network peering, and ExpressRoute.
 * Describe the benefits and usage of Container (Blob) Storage, Disk Storage, File Storage, and storage tiers.
 * Describe the benefits and usage of Cosmos DB, Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, and SQL Managed Instance.
 * Describe the benefits and usage of Azure Marketplace.

# Azure Compute Services
---

Azure Compute Services provide the infrastructure required to execute code. Compute services offer capacity in the cloud and scale on demand. Azure Compute Services are composed of:

 * Virtual Machines
 * App Service
 * Azure Container Instances (ACI)
 * Azure Kubernetes Service (AKS)
 * Windows Virtual Desktop (WVD)

## Virtual Machines (VMs)

A virtual machine is a computer file, typically called an image, that behaves like an actual computer. In other words, creating a computer within a computer. It runs in a window, much like any other program, giving the end user the same experience on a virtual machine as they would have on the host operating system itself. The virtual machine is sandboxed from the rest of the system, meaning that the software inside a virtual machine can’t escape or tamper with the computer itself. This produces an ideal environment for testing other operating systems including beta releases, accessing virus-infected data, creating operating system backups, and running software or applications on operating systems they weren’t originally intended for.

Multiple virtual machines can run simultaneously on the same physical computer. For servers, the multiple operating systems run side-by-side with a piece of software called a hypervisor to manage them, while desktop computers typical employ one operating system to run the other operating systems within its program windows. Each virtual machine provides its own virtual hardware, including CPUs, memory, hard drives, network interfaces, and other devices. The virtual hardware is then mapped to the real hardware on the physical machine which saves costs by reducing the need for physical hardware systems along with the associated maintenance costs that go with it, plus reduces power and cooling demand.

## App Service

Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. Users can develop in their favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale on both Windows and Linux-based environments. The Azure App Service is a Plaform-as-a-Service (PaaS) offering. With App Service, users have no access to the hardware.

## Azure Container Instances (ACI)

A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.

A container does not include an operating system that can be managed.

Containers are becoming the preferred way to package, deploy, and manage cloud applications. Azure Container Instances offers the fastest and simplest way to run a container in Azure, without having to manage any virtual machines and without having to adopt a higher-level service. ACI is a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs.

![Container](images\container.png "Container")

## Azure Kubernetes Service (AKS)

Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units for easy management and discovery.

Azure Kubernetes Service simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure. As a hosted Kubernetes service, Azure handles critical tasks, like health monitoring and maintenance. Since Kubernetes masters are managed by Azure, users only manage and maintain the agent nodes. Thus, AKS is free; users only pay for the agent nodes within their clusters, not for the masters.

![Kubernetes](images\kubernetes.png "Kubernetes")

## Windows Virtual Desktop (WVD)

Windows Virtual Desktop is a desktop and app virtualization service that enables users to run a version of Windows on the cloud. WVD key capabilities are:

 * Create a full desktop virtualization environment in their Azure subscriptions without having to run any additional gateway servers.
 * Publish as many host pools as needed to accommodate diverse workloads.
 * Bring their own images for production workloads or test from the Azure Gallery.
 * Reduce costs with pooled, multi-session resources. With the new Windows 10 Enterprise multi-session capability exclusive to Windows Virtual Desktop and Remote Desktop Session Host (RDSH) role on Windows Server, users can greatly reduce the number of virtual machines and operating system (OS) overhead while still providing the same resources.
 * Provide individual ownership through personal (persistent) desktops.

# Azure Networking Services
---

Azure Networking Services are comprised of:

 * Connectivity Services.
 * Application Protection Services.
 * Application Delivery Services.
 * Network Monitoring.

# Connectivity Services
---

Azure Connectivity Services enable connecting cloud and on-premises resources using any or a combination of these networking services in Azure: Virtual Network (VNet), Virtual WAN, ExpressRoute, VPN Gateway, Virtual Network NAT Gateway, Azure DNS, VNet Peering service, and Azure Bastion.

## Virtual Network (VNet)

A Virtual network emulates a physical network. Azure Virtual Network (VNet) is the fundamental building block for users' private networks in Azure. A VNet enables many types of resources, such as virtual machines, to securely communicate with each other, the internet, and on-premises networks. It is similar to a traditional network that users operate in their own data centers, but brings with it additional benefits of Azure's infrastructure such as scale, availability, and isolation.

An Azure VNet isolates and segments resources, allowing to connect various Azure resources and on-premises, and providing filtering and routing of network traffic. An Azure VNet is contained to one region, it can not span to multipla regions.

There is no charge for using Azure VNet, it is free of cost. Standard charges are applicable for resources, such as Virtual Machines and other products. When we need to connect resources within different regions, we can do so using the VNet Peering Service or VPN Gateways.

## VPN (Virtual Private Network) Gateway

Azure VPN uses a Network Gateway to connect two networks as if they were on the same network. A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).

Users can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. Each virtual network can have only one VPN gateway. However, users can create multiple connections to the same VPN gateway. When multiple connections to the same VPN gateway are created, all VPN tunnels share the available gateway bandwidth.

## Azure Express Route

Azure ExpressRoute offers a fast and reliable connection to Azure with bandwidths up to 100 Gbps, which makes it excellent for scenarios like periodic data migration, replication for business continuity, disaster recovery, and other high-availability strategies. It can be a cost-effective option for transferring large amounts of data, such as datasets for high-performance computing applications, or moving large virtual machines between users' dev-test environments in an Azure virtual private cloud and their on-premises production environments.

# Application Protection Services
---

Application Protection Services use any or a combination of these networking services in Azure: Private Link, DDoS Protection, Firewall, Network Security Groups, Web Application Firewall, and Virtual Network Endpoints.

## DDoS Protection

Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. A DDoS attack attempts to exhaust an application's resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

Every property in Azure is protected by Azure's infrastructure DDoS (Basic) Protection at no additional cost. The scale and capacity of the globally deployed Azure network provides defense against common network-layer attacks through always-on traffic monitoring and real-time mitigation. DDoS Protection Basic requires no user configuration or application changes. DDoS Protection Basic helps protect all Azure services, including PaaS services like Azure DNS.

Azure DDoS Protection Standard, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to help protect your specific Azure resources in a virtual network. Protection is simple to enable on any new or existing virtual network, and it requires no application or resource changes. It has several advantages over the basic service, including logging, alerting, and telemetry.

![DDoS Protection](images\ddos.png "DDoS protection")

## Azure Firewall

Azure Firewall is a managed, cloud-based network security service that protects Azure Virtual Network resources. It is a fully stateful Firewall-as-a-Service, with built-in high availability and unrestricted cloud scalability.

Users can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for virtual network resources allowing outside firewalls to identify traffic originating from users' virtual network. The service is fully integrated with Azure Monitor for logging and analytics.

![Azure Firewall](images\firewall.png "Azure firewall")

Azure Firewall includes the following features:

 * Built-in high availability
 * Availability Zones
 * Unrestricted cloud scalability
 * Application FQDN filtering rules
 * Network traffic filtering rules
 * FQDN tags
 * Service tags
 * Threat intelligence
 * Outbound SNAT support
 * Inbound DNAT support
 * Multiple public IP addresses
 * Azure Monitor logging
 * Forced tunneling
 * Web categories (preview)
 * Certifications

## Network Security Groups

Network Security Groups can be used to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains static security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, users can specify source and destination, port, and protocol.

Resources from several Azure services can be deployed into an Azure virtual network. Each virtual network subnet and network interface in a virtual machine can be associated to zero, or one, network security group. The same network security group can be associated to many subnets and network interfaces.

The following picture illustrates different scenarios for how network security groups might be deployed to allow network traffic, to and from the internet, over TCP port 80:

![Network Security Group](images\network_security_group.png "Network security group")

## Azure Private Link

Azure Private Link enables users to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned, or partner services, over a private endpoint in their virtual network.

Traffic between users' virtual network and the service travels the Microsoft backbone network. Exposing users' service to the public internet is no longer necessary. Users can create their own private link service in their virtual network and deliver it to their customers. Setup and consumption using Azure Private Link is consistent across Azure PaaS, customer-owned, and shared partner services.

# Application Delivery Services
---

Deliver applications in the Azure network using any or a combination of these networking services in Azure - Content Delivery Network (CDN), Azure Front Door Service, Traffic Manager, Application Gateway, Internet Analyzer, and Load Balancer.

## Load Balancer

Load balancing refers to evenly distributing load (incoming network traffic) across a group of backend resources or servers.

Azure Load Balancer operates at Layer 4 of the Open Systems Interconnection (OSI) model. It is the single point of contact for clients. Load balancer distributes inbound flows that arrive at the load balancer's front end to backend pool instances. These flows are according to configured load-balancing rules and health probes. The backend pool instances can be Azure Virtual Machines or instances in a virtual machine scale set.

A public load balancer can provide outbound connections for virtual machines (VMs) inside users' virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet traffic to users' VMs.

An internal (or private) load balancer is used where private IPs are needed at the frontend only. Internal load balancers are used to load balance traffic inside a virtual network. A load balancer frontend can be accessed from an on-premises network in a hybrid scenario.

![Load Balancer](images\load_balancer.png "Load balancer")

## Application Gateway

Azure Application Gateway is a Web traffic load balancer that enables users to manage traffic to their Web applications. Traditional load balancers operate at the transport layer (OSI Layer 4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.

Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example, its URI path or Host headers. For example, traffic can be routed based on the incoming URL. So if "/images" is in the incoming URL, trafiic can be routed to a specific set of servers (known as a "pool") configured for images. If "/video" is in the URL, that traffic is routed to another pool that is optimized for videos. This type of routing is known as application layer (OSI Layer 7) load balancing. Azure Application Gateway can do URL-based routing and more.

![Application Gateway](images\application_gateway.png "Application gateway")

## Content Delivery Network (CDN)

A CDN is a distributed network of servers that can efficiently deliver Web content to users. CDNs' store cached content on edge servers in point-of-presence (POP) locations that are close to end users, to minimize latency.

Azure Content Delivery Network (CDN) offers developers a global solution for rapidly delivering high-bandwidth content by caching their content at strategically placed physical nodes across the world. Azure CDN can also accelerate dynamic content, which cannot be cached, by leveraging various network optimizations using CDN POPs. For example, route optimization to bypass Border Gateway Protocol (BGP).

![Content Delivery Network](images\cdn.png "Content Delivery Network")

## Azure Front Door Service

Azure Front Door is a global, scalable entry-point that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications. With Front Door, you can transform your global consumer and enterprise applications into robust, high-performing personalized modern applications with contents that reach a global audience through Azure.

Front Door works at Layer 7 (HTTP/HTTPS layer) using anycast protocol with split TCP and Microsoft's global network to improve global connectivity. Based on your routing method you can ensure that Front Door will route your client requests to the fastest and most available application backend. An application backend is any Internet-facing service hosted inside or outside of Azure. Front Door provides a range of traffic-routing methods and backend health monitoring options to suit different application needs and automatic failover scenarios. Similar to Traffic Manager, Front Door is resilient to failures, including failures to an entire Azure region.

# Network Monitoring
---

Monitor network resources using any or a combination of these networking services in Azure - Network Watcher, ExpressRoute Monitor, Azure Monitor, or VNet Terminal Access Point (TAP).

## Network Watcher

Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS products which includes Virtual Machines, Virtual Networks, Application Gateways, Load Balancers, etc. Azure Network Watcher is not intended for and will not work for PaaS monitoring or Web analytics.

## ExpressRoute Monitor

Network Performance Monitor (NPM) is a cloud-based network monitoring solution that monitors connectivity between Azure cloud deployments and their on-premises locations (branch offices, etc.). NPM is part of Azure Monitor logs. NPM offers an extension for ExpressRoute that enables users to monitor network performance over ExpressRoute circuits that are configured to use private peering or Microsoft peering.

## Azure Monitor

Azure Monitor helps users to maximize the availability and performance of their applications and services. It delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from cloud and on-premises environments. This information helps users to understand how the applications are performing and proactively identify issues affecting them and the resources they depend on.

# Azure Storage Services
---

Azure Storage Services are comprised of:

 * Azure Blobs (Containers).
 * Azure Files.
 * Azure Queues.
 * Azure Tables.
 * Azure Managed Disks.

# Azure Storage Performance
---

Standard storage accounts are backed by magnetic drives and provide the lowest cost per GB. They're best for applications that require bulk storage or where data is accessed infrequently.

Premium storage accounts are backed by solid state drives and offer consistent, low-latency performance. They can only be used with Azure virtual machine disks, and are best for I/O-intensive applications, like databases. Additionally, virtual machines that use Premium storage for all disks qualify for a 99.9% SLA, even when running outside of an availability set. This setting can't be changed after the storage account is created.

# Azure Blob Storage
---

Azure Blob Storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn't adhere to a particular data model or definition, such as text or binary data.

Blob storage is designed for:

 * Serving images or documents directly to a browser.
 * Storing files for distributed access.
 * Streaming video and audio.
 * Writing to log files.
 * Storing data for backup and restore, disaster recovery, and archiving.
 * Storing data for analysis by an on-premises or Azure-hosted service.

Users or client applications can access objects in Blob storage via HTTP/HTTPS, via the Azure Storage REST API, Azure PowerShell, Azure CLI, or an Azure Storage client library.

Azure Storage supports three types of blobs:

 * Block blobs store text and binary data. Block blobs are made up of blocks of data that can be managed individually. Block blobs store up to about 4.75 TiB of data. Larger block blobs are available in preview, up to about 190.7 TiB.
 * Append blobs are made up of blocks like block blobs, but are optimized for append operations. Append blobs are ideal for scenarios such as logging data from virtual machines.
 * Page blobs store random access files up to 8 TiB in size. Page blobs store virtual hard drive (VHD) files and serve as disks for Azure virtual machines

### Azure Blob Storage Access Tiers

The Azure Blob Storage service offers different access tiers, allowing to store blob object data in the most cost-effective manner. 
The available access tiers include:

 * Hot: Optimized for storing data that is accessed frequently.
 * Cool: Optimized for storing data that is infrequently accessed and stored for at least 30 days.
 * Archive: Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements, on the order of hours.

# Azure Table Storage
---

Azure Table Storage is a service that stores non-relational structured data (also known as structured NoSQL data) in the cloud, providing a key/attribute store with a schemaless design. Because Table storage is schemaless, it's easy to adapt data as the needs of users' application evolve. Access to Table Storage data is fast and cost-effective for many types of applications, and is typically lower in cost than traditional SQL for similar volumes of data.

Users can use Table Storage to store flexible datasets like user data for web applications, address books, device information, or other types of metadata your service requires. Any number of entities can be stored in a table, and a storage account may contain any number of tables, up to the capacity limit of the storage account.

Azure Table Storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, non-relational data. Common uses of Table Storage include:

 * Storing TBs of structured data capable of serving Web scale applications.
 * Storing datasets that don't require complex joins, foreign keys, or stored procedures, and that can be denormalized for fast access.
 * Quickly querying data using a clustered index.
 * Accessing data using the OData protocol and LINQ queries with WCF Data Service .NET Libraries.

Users can use Table Storage to store and query huge sets of structured, non-relational data, and your tables will scale as demand increases.

![Azure Table Storage](images\table.png "Azure table storage")

# Azure Queue Storage
---

Azure Queue Storage is a service for storing large numbers of messages. You access messages from anywhere in the world via authenticated calls using HTTP or HTTPS. A queue message can be up to 64 KB in size. A queue may contain millions of messages, up to the total capacity limit of a storage account. Queues are commonly used to create a backlog of work to process asynchronously.

![Azure Queue Storage](images\queue.png "Azure queue storage")

Azure Queue Storage contains the following components:

 * URL format: Queues are addressable using the following URL format: https://<storage account\>.queue.core.windows.net/<queue\>. For example, the following URL addresses a queue in the diagram: https://myaccount.queue.core.windows.net/images-to-download

 * Storage account: All access to Azure Storage is done through a storage account. For information about storage account capacity, see Scalability and performance targets for standard storage accounts.

 * Queue: A queue contains a set of messages. The queue name must be all lowercase. For information on naming queues, see Naming queues and metadata.

 * Message: A message, in any format, of up to 64 KB. Before version 2017-07-29, the maximum time-to-live allowed is seven days. For version 2017-07-29 or later, the maximum time-to-live can be any positive number, or -1 indicating that the message doesn't expire. If this parameter is omitted, the default time-to-live is seven days.

# Azure Files
---

Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol or Network File System (NFS) protocol. Azure file shares can be mounted concurrently by cloud or on-premises deployments. Azure Files SMB file shares are accessible from Windows, Linux, and macOS clients. Azure Files NFS file shares are accessible from Linux or macOS clients. Additionally, Azure Files SMB file shares can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.

Azure file shares can be used to:

 * Replace or supplement on-premises file servers: Azure Files can be used to completely replace or supplement traditional on-premises file servers or NAS devices. Popular operating systems such as Windows, macOS, and Linux can directly mount Azure file shares wherever they are in the world. Azure File SMB file shares can also be replicated with Azure File Sync to Windows Servers, either on-premises or in the cloud, for performance and distributed caching of the data where it's being used. With the recent release of Azure Files AD Authentication, Azure File SMB file shares can continue to work with AD hosted on-premises for access control.

 * "Lift and shift" applications:
Azure Files makes it easy to "lift and shift" applications to the cloud that expect a file share to store file application or user data. Azure Files enables both the "classic" lift and shift scenario, where both the application and its data are moved to Azure, and the "hybrid" lift and shift scenario, where the application data is moved to Azure Files, and the application continues to run on-premises.

 * Simplify cloud development:
Azure Files can also be used in numerous ways to simplify new cloud development projects. For example:

 * Shared application settings:
A common pattern for distributed applications is to have configuration files in a centralized location where they can be accessed from many application instances. Application instances can load their configuration through the File REST API, and humans can access them as needed by mounting the SMB share locally.

 * Diagnostic share:
An Azure file share is a convenient place for cloud applications to write their logs, metrics, and crash dumps. Logs can be written by the application instances via the File REST API, and developers can access them by mounting the file share on their local machine. This enables great flexibility, as developers can embrace cloud development without having to abandon any existing tooling they know and love.

 * Dev/Test/Debug:
When developers or administrators are working on VMs in the cloud, they often need a set of tools or utilities. Copying such utilities and tools to each VM can be a time consuming exercise. By mounting an Azure file share locally on the VMs, a developer and administrator can quickly access their tools and utilities, no copying required.

 * Containerization:
Azure file shares can be used as persistent volumes for stateful containers. Containers deliver "build once, run anywhere" capabilities that enable developers to accelerate innovation. For the containers that access raw data at every start, a shared file system is required to allow these containers to access the file system no matter which instance they run on.

# Azure Managed Disks
---

Azure Managed Disks are block-level storage volumes that are managed by Azure and used with Azure Virtual Machines. Managed disks are like a physical disk in an on-premises server but, virtualized. With managed disks, all you have to do is specify the disk size, the disk type, and provision the disk. Once you provision the disk, Azure handles the rest.

The available types of disks are ultra disks, premium solid-state drives (SSD), standard SSDs, and standard hard disk drives (HDD).

There are three main disk roles in Azure: the data disk, the OS disk, and the temporary disk. These roles map to disks that are attached to your virtual machine.

![Azure Disks](images\disks.png "Azure disks")

# Azure Databases
---

Azure Database Services are:

 * Cosmos DB
 * Azure SQL Database
 * Azure Database for MySQL
 * Azure Database for PostgreSQL
 * SQL Managed Instance

# Cosmos DB
---

 * No-SQL storage
 * Extremely fast storage
 * Designed for modern applications such as mobile video games, social networks, and things requiring thousands of global replication
 * Multi-modal
 * Supports many open-source APIs and protocols

# Azure SQL Database
---

 * Runs on the SQL Server engine underneath
 * Relational DB
 * Database as a service
 * Easy to replicate
 * Easy to scale
 * Easy to migrate from SQL Server on-premises

# Azure Database for MySQL
---

 * Managed MySQL database
 * Common open-source DB
 * Makes migration to the cloud easier 

# Azure Database for PostgreSQL
---

 * Managed PostgreSQL database
 * Open-source DB
 * Has better support for clusters and more complex server setups
 * Makes migration to the cloud easier

# SQL Managed Instance
---

 * Most compatible with existing SQL Server
 * Minimal code changes
 * Fully managed by Azure
 * Always up-to-date

# Azure Marketplace
---

Azure Marketplace is where Microsoft and its partners list the various computing services available for customers' use.

# C) EXAM GOAL: Describe Core Solutions and Management Tools on Azure (10-15%)
---

# C1) Describe Core Solutions Available on Azure
---

 * Describe the benefits and usage of Internet of Things (IoT) Hub, IoT Central, and Azure Sphere.
 * Describe the benefits and usage of Azure Synapse Analytics, HDInsight, and Azure Databricks.
 * Describe the benefits and usage of Azure Machine Learning, Cognitive Services and Azure Bot Service.
 * Describe the benefits and usage of Serverless Computing solutions that include Azure Functions and Logic Apps.
 * Describe the benefits and usage of Azure DevOps, GitHub, GitHub Actions, and Azure DevTest Labs.

# Internet of Things (IoT)
---

Azure Internet of Things offering includes:

 * IoT Hub

 Azure IoT Hub enables highly secure and reliable communication between Internet of Things (IoT) applications and the devices it manages. Azure IoT Hub provides a cloud-hosted solution back end to connect virtually any device, extending solution from the cloud to the edge with per-device authentication, built-in device management, and scaled provisioning.

 * IoT Central

 Azure IoT Central is an IoT application platform that reduces the burden and cost of developing, managing, and maintaining enterprise-grade IoT solutions. Choosing to build with IoT Central gives the opportunity to focus time, money, and energy on transforming business with IoT data, rather than just maintaining and updating a complex and continually evolving IoT infrastructure.
 
 * Azure Sphere
 
 Azure Sphere is a comprehensive IoT security solution that includes hardware (a crossover microcontroller), OS, and cloud components for IoT device security that actively protects devices, businesses, and customers.

# Big Data and Analytics
---

Azure Big Data and Analytics offering includes:

 * Azure Synapse Analytics (formerly SQL Data Warehouse)

  Azure Synapse is an enterprise analytics service that accelerates time to insight across data warehouses and big data systems. Azure Synapse brings together the best of SQL technologies used in enterprise data warehousing, Spark technologies used for big data, Pipelines for data integration and ETL/ELT, and deep integration with other Azure services such as Power BI, CosmosDB, and AzureML.

 * HDInsight

  Azure HDInsight is a managed open-source analytics service in the cloud for enterprises. HDInsight is an umbrella name that includes open-source frameworks such as Hadoop, Apache Spark, Apache Hive, LLAP (Hive's Live Long And Process functionality), Apache Kafka, Apache Storm, R, and more. Azure HDInsight allows to process massive amounts of data and get all the benefits of the broad open-source project ecosystem with the global scale of Azure.
 
 * Azure Databricks

 Azure Databricks is a data analytics platform optimized for the Microsoft Azure cloud services platform. Azure Databricks offers two environments for developing data intensive applications: Azure Databricks SQL Analytics and Azure Databricks Workspace.

 Azure Databricks SQL Analytics provides an easy-to-use platform for analysts who want to run SQL queries on their data lake, create multiple visualization types to explore query results from different perspectives, and build and share dashboards.

 Azure Databricks Workspace provides an interactive workspace that enables collaboration between data engineers, data scientists, and machine learning engineers. For a big data pipeline, the data (raw or structured) is ingested into Azure through Azure Data Factory in batches, or streamed near real-time using Apache Kafka, Event Hub, or IoT Hub. This data lands in a data lake for long term persisted storage, in Azure Blob Storage or Azure Data Lake Storage. As part of your analytics workflow, use Azure Databricks to read data from multiple data sources and turn it into breakthrough insights using Spark.

# Artificial Intelligence (AI)
---

Azure Artificiall Intelligence offering includes:

 * Azure Machine Learning

 Azure Machine Learning can be used for any kind of machine learning, from classical ML to deep learning, supervised, and unsupervised learning. Whether you prefer to write Python or R code with the SDK or work with no-code/low-code options in the studio, you can build, train, and track machine learning and deep-learning models in an Azure Machine Learning Workspace.

 * Cognitive Services

 Azure Cognitive Services are cloud-based services with REST APIs and client library SDKs available to help you build cognitive intelligence into your applications. You can add cognitive features to your applications without having artificial intelligence (AI) or data science skills. Azure Cognitive Services comprise various AI services that enable you to build cognitive solutions that can see, hear, speak, understand, and even make decisions.

 Azure Cognitive Services include:

   * Vision
   * Speech
   * Language
   * Decision
   * Search

 * Azure Bot Service

 Azure Bot Service is a natural language chatbot service that provides an integrated environment purpose-built for bot development. Azure Bot Service is a cloud platform that hosts bots and makes them available to channels. It uses a database of Frequently-Asked Questions (FAQ). A bot is an app that users interact with in a conversational way, using text, graphics (such as cards or images), or speech.

# Serverless Computing
---

Azure Serverless Computing offering includes:

 * Azure Functions

 Azure Functions is a serverless solution that allows to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep the applications running.

 * Logic Apps

 Azure Logic Apps is a cloud workflow service that helps to schedule, automate, and orchestrate tasks, business processes, and workflows to integrate apps, data, systems, and services across enterprises or organizations. Logic Apps simplifies designing and building scalable solutions for app integration, data integration, system integration, enterprise application integration (EAI), and business-to-business (B2B) communication, whether in the cloud, on premises, or both.

 * Event Grid

 Event Grid is an eventing backplane that enables event-driven, reactive programming. It uses a publish-subscribe model. Publishers emit events, but have no expectation about which events are handled. Subscribers decide which events they want to handle.

 Event Grid is deeply integrated with Azure services and can be integrated with third-party services. It simplifies event consumption and lowers costs by eliminating the need for constant polling. Event Grid efficiently and reliably routes events from Azure and non-Azure resources. It distributes the events to registered subscriber endpoints. The event message has the information you need to react to changes in services and applications. Event Grid isn't a data pipeline, and doesn't deliver the actual object that was updated. It supports dead-lettering for events that aren't delivered to an endpoint.

 Event Grid has the following characteristics:
 
   * Dynamically scalable
   * Low cost
   * Serverless
   * At least once delivery


# Azure DevOps Solutions
---

Azure DevOps Solutions offering includes:

 * Azure DevOps
 * GitHub
 * GitHub Actions
 * Azure DevTest Labs

# Azure DevOps
---

Azure DevOps provides developer services for support teams to plan work, collaborate on code development, and build and deploy applications. Azure DevOps supports a culture and set of processes that bring developers and project managers and contributors together to complete software development. It allows organizations to create and improve products at a faster pace than they can with traditional software development approaches.

You can work in the cloud using Azure DevOps Services or on-premises using Azure DevOps Server. For information on the differences between the cloud versus on-premises platforms, see Azure DevOps Services and Azure DevOps Server.

Azure DevOps provides integrated features that you can access through your web browser or IDE client. You can use one or more of the following standalone services based on your business needs:

 * Azure Repos provides Git repositories or Team Foundation Version Control (TFVC) for source control of code.
 * Azure Pipelines provides build and release services to support continuous integration and delivery of your applications.
 * Azure Boards delivers a suite of Agile tools to support planning and tracking work, code defects, and issues using Kanban and Scrum methods.
 * Azure Test Plans provides several tools to test your apps, including manual/exploratory testing and continuous testing.
 * Azure Artifacts allows teams to share packages such as Maven, npm, NuGet, and more from public and private sources and integrate package sharing into your pipelines.

The following collaboration tools are also available:

 * Customizable team dashboards with configurable widgets to share information, progress, and trends
 * Built-in wikis for sharing information
 * Configurable notifications

Azure DevOps supports adding extensions and integrating with other popular services, such as: Campfire, Slack, Trello, UserVoice, and more, and developing your own custom extensions.

Azure DevOps Services supports integration with GitHub.com and GitHub Enterprise Server repositories. Azure DevOps Server supports integration with GitHub Enterprise Server repositories.

# GitHub
---

Azure's integration with GitHub offers the following features:

 * You can sign into Azure portal and Azure DevOps using your GitHub account. This capability provides a seamless login experience enabling you to conveniently go from repository to deployment with just your GitHub account.

 * Leverage GitHub Actions for Azure to easily create code-to-cloud workflows for various Azure scenarios. With GitHub Actions for Azure you can create and set up workflows in your repository to build, test, package, release and deploy to Azure. GitHub Actions for Azure provide native support for deployments to Azure Kubernetes Service, Azure Web Apps, Azure SQL Database, Azure Functions and more.

 * Boost your team's productivity with Boards, Backlogs, and Sprints for even the most complex projects. Simply connect your GitHub repo to Azure Boards and start linking commits and pull requests to work items tracked in Azure Boards, enabling you to develop while planning and tracking work.

* Securely bring open-source code and best practices to your enterprise projects. Accelerate your software development with open-source components and through collaboration with the open-source community. Increase developer velocity through innersourcing and build like the best software development teams in the world. Flexibility, security, compliance, and deployment controls make it easy for your team to use GitHub Enterprise wherever you need it.

* Synchronize groups of GitHub users with Azure Active Directory (Azure AD) to enforce a secure workplace identity. Azure AD provisioning allows GitHub customers to leverage their existing Azure AD solution for group membership so that their administrators and developers can focus on their application development. As a result, the Azure AD synchronization capability enables customers to reduce their administrative time, improve auditability and increase user security.

* To increase developer velocity, there is a need to shift from manually managing each policy in the Azure portal to something more manageable, collaborative, and repeatable at enterprise scale. You can now easily export Azure policies to a GitHub repository in just a few clicks. You can then collaborate, track changes using version control, and deploy the policies using custom GitHub workflows.

* Reduce ramp-up time on Git and be more productive with built-in GitHub extensions in Visual Studio. Create and publish repos, manage pull requests on GitHub, and review source code right inside Visual Studio.

# GitHub Actions
---

GitHub Actions helps to automate your software development workflows from within GitHub. You can deploy workflows in the same place where you store code and collaborate on pull requests and issues.

In GitHub Actions, a workflow is an automated process that you set up in your GitHub repository. You can build, test, package, release, or deploy any project on GitHub with a workflow.

Each workflow is made up of individual actions that run after a specific event (like a pull request) occur. The individual actions are packaged scripts that automate software development tasks.

With GitHub Actions for Azure, you can create workflows that you can set up in your repository to build, test, package, release, and deploy to Azure. GitHub Actions for Azure supports Azure services, including Azure App Service, Azure Functions, and Azure Key Vault.

GitHub Actions also include support for utilities, including Azure Resource Manager templates, Azure CLI, and Azure Policy.

# Azure DevTest Labs
---

DevTest Labs provides the following capabilities to developers working with VMs:

 * Create VMs quickly by following fewer than five simple steps.
 * Choose from a curated list of VM bases that are configured, approved, and authorized by the team lead or central IT.
 * Create VMs from pre-created custom images that have all the software and tools already installed.
 * Create VMs from formulas that are essentially custom images combined with the latest builds of the software that's installed when the VMs are created.
 * Install artifacts that are extensions deployed on VMs after they're provisioned.
 * Set auto-shutdown and auto-start schedules on VMs.
 * Claim a pre-created VM without going through the creation process.

DevTest Labs provides the following capabilities to developers working with PaaS environments:

 * Use Resource Manager to quickly create PaaS environments by following fewer than three simple steps.
 * Choose from a curated list of Resource Manager templates, which are configured, and authorized by the team lead or central IT.
 * Spin up an empty resource group (sandbox) by using a Resource Manager template to explore Azure within the context of a lab.

DevTest Labs also enables central IT to control wastes, optimize costs on resources, and stay within budgets by doing the following tasks:

 * Setting auto-shutdown and auto-start schedules on VMs.
 * Setting policies on the number of VMs that users can create.
 * Setting policies on VMs' sizes and gallery images that users choose from.
 * Tracking costs and setting targets on labs.
 * Getting notified on high projected costs for labs so you can take necessary actions.

C2) Describe Azure Management Tools
---

 * Describe the functionality and usage of the Azure Portal, Azure PowerShell, Azure CLI,
Cloud Shell, and Azure Mobile App.
 * Describe the functionality and usage of Azure Advisor.
 * Describe the functionality and usage of Azure Resource Manager (ARM) templates.
 * Describe the functionality and usage of Azure Monitor.
 * Describe the functionality and usage of Azure Service Health.

# Azure Tools
---

## Azure Portal

 * The Portal is a web-based console that provides a graphical user interface and is the most common way for interactions with the cloud.
 * You can build, manage, and monitor things such as simple web apps, subscriptions, billings, and even complex cloud deployments.
 * The Azure portal is designed for resiliency, low access latency, and high availability as it is present in every datacenter.
 * It is kept continuously updated hence it does not suffer any downtime.

## Azure Powershell

 * Azure Powershell is an extension of windows PowerShell that has its modules and cmdlets.
 * Through these same cmdlets a user can perform powerful common tasks on the Azure cloud bypassing the need of the Azure Portal.
 * Users can create automation scripts using PowerShell for repetitive tasks on the cloud resulting in a drastic decrease in Administrative overhead.

## Azure CLI (Command-Line Interface)

The Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources. The Azure CLI is available across Azure services and is designed to get you working quickly with Azure, with an emphasis on automation.

Azure CLI capabilities make it easy to work with different programing languages and software environments:

 * Is available to install in Windows, macOS, and Linux environments.
 * Can also be run in Docker and Azure Cloud Shell.
 * Offers command-line flexibility when managing an Azure solution.
 * Supports long-running operations.
 * Has the ability to use one subscription for all commands, or vary subscriptions per command.
 * Allows for querying of command-line results with query output returned in your format of choice.
 * Has the flexibility to work with multiple clouds.
 * Provides configurable settings for logging, data collection, and default argument values.
 * Is deployed with Resource Manager deployment templates.

## Azure Cloud Shell

 * The Cloud shell grants access to a browser-based command-line experience that has been built keeping Azure management tasks in mind.
 * As it is browser-based, it provides more flexibility than PowerShell as it remains machine and OS independent.
 * It further differentiated itself from Azure PowerShell by offering a choice between Bash and PowerShell itself inside the browser.
 * Microsoft manages Cloud Shell themselves, hence it comes with updated command-line tool and language support.
 * Cloud Shell is also automated to securely authenticate and provide you with instant access to your resources.

## Azure Mobile App

With the Azure mobile app, you don't need to be in front of your computer to keep an eye on your Azure resources such as VMs and web apps. Stay connected no matter where you are from your iOS or Android mobile device.

Check for alerts, view metrics, and take corrective actions to fix common issues. Restart a web app or connect to a VM directly. Be agile and respond to issues faster with the Azure mobile app. Want to use the command line? Run ad hoc Azure CLI or PowerShell commands from the Azure mobile app.

# Azure Advisor
---

Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost effectiveness, performance, Reliability (formerly called High availability), and security of your Azure resources.

With Advisor, you can:

 * Get proactive, actionable, and personalized best practices recommendations.
 * Improve the performance, security, and reliability of your resources, as you identify opportunities to reduce your overall Azure spend.
 * Get recommendations with proposed actions inline.

# Azure Resource Manager (ARM)
---

Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment.

![Resource Manager Tools](images\resource_manager_tools.png "Resource Manager Tools")

# Azure Monitor
---

Azure Monitor helps you maximize the availability and performance of your applications and services. It delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. This information helps you understand how your applications are performing and proactively identify issues affecting them and the resources they depend on.

What you can do with Azure Monitor include:

 * Detect and diagnose issues across applications and dependencies with Application Insights.
 * Correlate infrastructure issues with VM insights and Container insights.
 * Drill into your monitoring data with Log Analytics for troubleshooting and deep diagnostics.
 * Support operations at scale with smart alerts and automated actions.
 * Create visualizations with Azure dashboards and workbooks.
 * Collect data from monitored resources using Azure Monitor Metrics.

![Azure Monitor](images\azure_monitor.png "Azure Monitor")

# Azure Service Health
---

Azure offers a suite of experiences to keep you informed about the health of your cloud resources. This information includes current and upcoming issues such as service impacting events, planned maintenance, and other changes that may affect your availability.

Azure Service Health is a combination of three separate smaller services.

Azure status informs you of service outages in Azure on the Azure Status page. The page is a global view of the health of all Azure services across all Azure regions. The status page is a good reference for incidents with widespread impact, but we strongly recommend that current Azure users leverage Azure service health to stay informed about Azure incidents and maintenance.

Service health provides a personalized view of the health of the Azure services and regions you're using. This is the best place to look for service impacting communications about outages, planned maintenance activities, and other health advisories because the authenticated Service Health experience knows which services and resources you currently use. The best way to use Service Health is to set up Service Health alerts to notify you via your preferred communication channels when service issues, planned maintenance, or other changes may affect the Azure services and regions you use.

Resource health provides information about the health of your individual cloud resources such as a specific virtual machine instance. Using Azure Monitor, you can also configure alerts to notify you of availability changes to your cloud resources. Resource Health along with Azure Monitor notifications will help you stay better informed about the availability of your resources minute by minute and quickly assess whether an issue is due to a problem on your side or related to an Azure platform event.

# D) Describe General Security And Network Security Features (10-15%)
---

# D1) Describe Azure Security Features
---

 * Describe basic features of Azure Security Center, including policy compliance, security
alerts, secure score, and resource hygiene
 * Describe the functionality and usage of Key Vault
 * Describe the functionality and usage of Azure Sentinel
 * Describe the functionality and usage of Azure Dedicated Hosts

# Azure Security Center
---

Azure Security Center is an unified infrastructure security management system that is able to monitor and protect systems inside and outside Azure. It offers the following features:

 * Strengthen security
 * Protect against threats
 * Get secure faster

![Azure Security Center](images\security_center.png "Azure Security Center")

# Azure Key Vault
---

Azure Key Vault helps solve the following problems:

 * Secrets Management: Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
 * Key Management: Azure Key Vault can also be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.
 * Certificate Management: Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources.

Azure Key Vault has two service tiers: Standard, which encrypts with a software key, and a Premium tier, which includes Hardware Security Module (HSM) protected keys.

# Azure Sentinel
---

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Azure Sentinel is your birds-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.

 * Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds. 
 * Detect previously undetected threats, and minimize false positives using Microsoft's analytics and unparalleled threat intelligence. 
 * Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cyber security work at Microsoft. 
 * Respond to incidents rapidly with built-in orchestration and automation of common tasks.

# Azure Dedicated Hosts
---

Azure Dedicated Host provides physical servers that host one or more Azure virtual machines. Your server is dedicated to your organization and workloads—capacity isn’t shared with other customers. This host-level isolation helps address compliance requirements. As you provision the host, you gain visibility into (and control over) the server infrastructure, and you determine the host’s maintenance policies.

# D2) Describe Azure Network Security
---

 * Describe the concept of Defense In Depth.
 * Describe the functionality and usage of Network Security Groups (NSG).
 * Describe the functionality and usage of Azure Firewall.
 * Describe the functionality and usage of Azure DDoS protection.

# Defense In Depth
---

Azure Defense In Depth includes the following layers:

 * Data, i.e. virtual network endpoint.
 * Application, i.e. API Management.
 * Compute, i.e. limit Remote Desktop access, Windows Update.
 * Network, i.e. NSG, use of subnets, deny by default.
 * Perimeter, i.e. DDoS, firewalls.
 * Identity and Access, i.e. Azure AD.
 * Physical Security, i.e. door locks and key cards.

![Defense In Depth](images\defense_in_depth.png "Defense In Depth")

# Network Security Group (NSG)
---

A Network Security Group can be thought of as a stateful firewall that can be used to filter inbound and outbound access to and from Azure resources in an Azure virtual network. A NSG contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

This is commonly known as "5 tuple":

 * Source IP address
 * Source port
 * Destination IP address
 * Destination port
 * Protocol

![Network Security Groups](images\nsg.png "Network Security Groups")

Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. You may not create two security rules with the same priority and direction. A flow record is created for existing connections. Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful. If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. You only need to specify an inbound security rule if communication is initiated externally. The opposite is also true. If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port.

Existing connections may not be interrupted when you remove a security rule that enabled the flow. Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.

There are limits to the number of security rules you can create in a network security group.

# Azure Firewall
---

V. APPLICATION PROTECTION SERVICES.

# Azure DDoS Protection
---

V. APPLICATION PROTECTION SERVICES.

# E) Describe Identity, Governance, Privacy, and Compliance Features (20-25%)
---

# E1) Describe Core Azure Identity Services
---

 * Explain the difference between authentication and authorization.
 * Define Azure Active Directory.
 * Describe the functionality and usage of Azure Active Directory.
 * Describe the functionality and usage of Conditional Access, Multi-Factor Authentication (MFA), and Single Sign-On (SSO).

# Authentication vs Authorization
---

![Authentication vs Authorization](images\authentication_vs_authorization.png "Authentication vs Authorization")

# Azure Active Directory
---

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in:

 * External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
 * Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization. For more information about creating a tenant for your organization, see Quickstart: Create a new tenant in Azure Active Directory.

Azure AD powers other Microsoft services: Azure, Skype, Outlook, OneDrive, Xbox, Office 365 - Teams, SahrePoint, PowerBI, etc.

# Benefits of Azure Active Directory
---

 * Security
 * Reduced development time, easier support.
 * Multi-Factor Authentication (MFA)
 * Single Sign-On (SSO)
 * User-Access reviews
 * Just-in-time elevation privileges
 * Centralized reporting
 * Logging
 * Integration with other Azure services

# Azure Conditional Access
---

The modern security perimeter now extends beyond an organization's network to include user and device identity. Organizations can utilize these identity signals as part of their access control decisions.

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane.

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it.

Administrators are faced with two primary goals:

 * Empower users to be productive wherever and whenever.
 * Protect the organization's assets.

By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user's way when not needed.

# Azure Multi-Factor Authentication (MFA)
---

Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.

If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an attacker? When you require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.

Azure AD Multi-Factor Authentication works by requiring two or more of the following authentication methods:

 * Something you know, typically a password.
 * Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key.
 * Something you are - biometrics like a fingerprint or face scan.

Users can register themselves for both self-service password reset and Azure AD Multi-Factor Authentication in one step to simplify the on-boarding experience. Administrators can define what forms of secondary authentication can be used. Azure AD Multi-Factor Authentication can also be required when users perform a self-service password reset to further secure that process.

# E2) Describe Azure Governance Features
---

 * Describe the functionality and usage of Role-Based Access Control (RBAC).
 * Describe the functionality and usage of resource.
 * Describe the functionality and usage of tags.
 * Describe the functionality and usage of Azure Policy.
 * Describe the functionality and usage of Azure Blueprints.
 * Describe the Cloud Adoption Framework for Azure.

# Azure Role-Based Access Control (RBAC)
---

Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.

Here are some examples of what Azure RBAC can do:

 * Allow one user to manage virtual machines in a subscription and another user to manage virtual networks.
 * Allow a DBA group to manage SQL databases in a subscription.
 * Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets.
 * Allow an application to access all resources in a resource group.

# Azure Resource Locks
---

As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.

You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.

 * CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
 * ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.

Unlike role-based access control, you use management locks to apply a restriction across all users and roles. To learn about setting permissions for users and roles, see Azure role-based access control (Azure RBAC).

Resource Manager locks apply only to operations that happen in the management plane, which consists of operations sent to https://management.azure.com. The locks don't restrict how resources perform their own functions. Resource changes are restricted, but resource operations aren't restricted. For example, a ReadOnly lock on a SQL Database logical server prevents you from deleting or modifying the server. It doesn't prevent you from creating, updating, or deleting data in the databases on that server. Data transactions are permitted because those operations aren't sent to https://management.azure.com.

# Azure Resource Tags
---

You apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name "Environment" and the value "Production" to all the resources in production. Tags can help with billing and support issues.

# Azure Policy
---

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.

These are examples of built-in policies:

 * Require SQL Server 12.0.
 * Allowed Storage Account SKUs.
 * Allowed Locations.
 * Allowed Virtual Machine SKUs.
 * Apply tag and its default value.
 * Not allowed resource types.

All Azure Policy data and objects are encrypted at rest.

Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. The assignment applies to all resources within the Resource Manager scope of that assignment. Subscopes can be excluded, if necessary. For more information, see Scope in Azure Policy.

Azure Policy uses a JSON format to form the logic the evaluation uses to determine if a resource is compliant or not. Definitions include metadata and the policy rule. The defined rule can use functions, parameters, logical operators, conditions, and property aliases to match exactly the scenario you want. The policy rule determines which resources in the scope of the assignment get evaluated.

# Azure Blueprints
---

Just as a blueprint allows an engineer or an architect to sketch a project's design parameters, Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with trust they're building within organizational compliance with a set of built-in components, such as networking, to speed up development and delivery.

Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:

 * Role Assignments
 * Policy Assignments
 * Azure Resource Manager templates (ARM templates)
 * Resource Groups

The Azure Blueprints service is backed by the globally distributed Azure Cosmos DB. Blueprint objects are replicated to multiple Azure regions. This replication provides low latency, high availability, and consistent access to your blueprint objects, regardless of which region Azure Blueprints deploys your resources to.



# Azure Cloud Adoption Framework (CAF)
---

The Cloud Adoption Framework is proven guidance that’s designed to help you create and implement the business and technology strategies necessary for your organization to succeed in the cloud. It provides best practices, documentation, and tools that cloud architects, IT professionals, and business decision makers need to successfully achieve their short and long-term objectives.

![Cloud Adoption Framework](images\adoption_framework.png "Cloud Adoption Framework")

# E3) Describe Privacy and Compliance Resources
---

 * Describe the Microsoft core tenets of Security, Privacy, and Compliance.
 * Describe the purpose of the Microsoft Privacy Statement, Product Terms site, and Data
Protection Addendum (DPA).
 * Describe the purpose of the Trust Center.
 * Describe the purpose of the Azure compliance documentation.
 * Describe the purpose of Azure Sovereign Regions (Azure Government cloud services and
Azure China cloud services).

# Azure Trusted Cloud
---

Azure Trusted Cloud is made of 5 components:

## Security

 * Azure is built with security in mind
 * Azure delivers tools and technologies to help organizations protect applications and data
 * Azure uses encryption
 * Azure offers advanced tools to detect and defend against security threats

## Privacy

 * You own all your data in Azure
 * Microsoft will not mine your data or use it for marketing
 * You control where the data is located and who has access
 * You can access your own data at any time for any reason
 * Microsoft follows a specific policy for government and law enforcement requests
 * Microsoft follows a specific policy to remove data if you descontinue to use their service

## Compliance

 * Microsoft follows international standards and helps customers to follow those standards too if they wish
 * Azure has more than 90 compliance certifications
 * Azure follows more than 50 regional standards
 * Azure can help with standards in more than 35 industries like health care, government, finance, etc.

## Reliability and Resiliency

 * High availability
 * Disaster recovery
 * Backup

## Intellectual Property (IP) Protection

 * You can build your solutions on top of Azure's products and services
 * Azure offers specific protections against frivolous infringement claims

# Microsoft Privacy Statement
---

http://privacy.microsoft.com

# Data Protection Addendum
---

https://cdn-prod.opendemocracy.net/media/documents/Microsoft_Agreement_1.pdf 

# Trust Center
---

https://www.microsoft.com/en-us/trust-center 

# Azure Sovereign Regions
---

https://azure.microsoft.com/en-us/global-infrastructure/government/ 

# F) Describe Azure Cost Management And Service Level Agreements (10-15%)
---

# F1) Describe Methods For Planning And Managing Costs
---

 * Identify factors that can affect costs (resource types, services, locations, ingress and egress traffic).
 * Identify factors that can reduce costs (reserved instances, reserved capacity, hybrid use benefit, spot pricing).
 * Describe the functionality and usage of the Pricing calculator and the Total Cost of Ownership (TCO) calculator.
 * Describe the functionality and usage of Azure Cost Management.

# Azure Pricing
---

Though most Azure services are paid, there are some free services:

 * Resource Groups
 * Virtual Networks (up to 50)
 * Load Balancer (basic)
 * Azure Active Directory (basic)
 * Network Security Groups
 * Free-Tier Web Apps (up to 10)

All Azure inbound data traffic is free. The first 5 GB of outbound data are also free.

https://azure.microsoft.com/en-us/pricing/calculator/ 

# Best Practices For Reducing Azure Cost
---

 * Check Azure Advisor.
 * Configure Auto shutdown on Dev/QA resources.
 * Utilize cool/archive storage where possible.
 * Consider using Reserved and/or Hybrid Instances.
 * Configure alerts when billing exceeds an expected level.
 * Use Policy to restrict access to certain expensive resources.
 * Configure auto-scaling of resources.
 * Downsize resources when over-provisioned.
 * Ensure every resource has an owner (use tags to track billing ownership).
 * Consider Spot Pricing (ability to use a virtual machine when nobody is uding it for a discounted price).

# Azure Pricing Calculators
---

https://azure.microsoft.com/en-us/pricing/calculator/ 

https://azure.microsoft.com/en-us/pricing/tco/calculator/ 

# Azure Cost Management
---

Azure Cost Management + Billing helps you understand your Azure invoice (bill), manage your billing account and subscriptions, monitor and control Azure spending and optimize resource use. Learn how to analyze costs, create and manage budgets, export data, and review and act on recommendations.

# F2) Describe Azure Service Level Agreements (SLAs) And Service Lifecycles
---

 * Describe the purpose of an Azure Service Level Agreement (SLA).
 * Identify actions that can impact an SLA (i.e. Availability Zones).
 * Describe the service lifecycle in Azure (Public Preview and General Availability).

# Azure Service Level Agreement (SLA)
---

https://azure.microsoft.com/en-us/support/legal/sla/ 

# Azure Preview Features
---

Azure preview features:

 * Are for testing and should not be used in production.
 * Have no SLA.
 * Can change significantly before going live.
 * May not go live.

There are public and private previews. The private previews requires registration.

WHen a service in preview gets approved, then it proceeds to General Availability (GA). 