Azure（AZ-900） === # 1/6 Introduction to Azure fundamentals * Azure Marketplace helps connect users with Microsoft partners, independent software vendors, and startups that are offering their solutions and services, which are optimized to run on Azure. * Capital Expenditure (CapEx) is the up-front spending of money on physical infrastructure, and then deducting that up-front expense over time. * Operational Expenditure (OpEx) is spending money on services or products now, and being billed for them now. * Cloud service providers operate on a consumption-based model, which means that end users only pay for the resources that they use. * Serverless computing enables developers to build applications faster by eliminating the need for them to manage infrastructure. * Consumption based model * Incur no up-front cost * Costly infrastructure not needed. * Pay for additional resources as needed. * Stop paying for resources that no longer needed.  * Azure regions A region is a geographical area on the planet that contains at least one but potentially multiple datacenters that are nearby and networked together with a low-latency network. * Availability zone Availability zones are physically separate datacenters within an Azure region. Each availability zone is made up of one or more datacenters equipped with independent power, cooling, and networking. An availability zone is set up to be an isolation boundary. * Region pair Azure region is always paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away. * Azure Resource Manager Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. * An Azure subscription is a logical unit of Azure services that links to an Azure account. An Azure subscription is an object that represents a container that you can put resources in. * Resource groups cannot be nested. # 2/6 Describe core Azure services ## Explore Azure compute services Azure compute services * Functions are ideal when you're concerned only about the code running your service and not the underlying platform or infrastructure. * Azure Batch enables large-scale parallel and high-performance computing (HPC) batch jobs with the ability to scale to tens, hundreds, or thousands of VMs. * Virtual machine scale sets let you create and manage a group of identical, load-balanced VMs. Imagine you're running a website that enables scientists to upload astronomy images that need to be processed. * Azure logic app workflow starts with a trigger, which fires when a specific event happens or when newly available data meets specific criteria. * With Functions, you write code to complete each step. With Logic Apps, you use a GUI to define the actions and how they relate to one another. * Azure Virtual Desktop is a desktop and application virtualization service that runs on the cloud. It enables your users to use a cloud-hosted version of Windows from any location. * Azure Functions is used when you need to perform work in response to an event (often via a REST request), timer, or message from another Azure service, and when that work can be completed quickly, within seconds or less. ## Explore Azure networking services * Azure virtual networks enable Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and with your on-premises client computers. ### Communicate between Azure resources * Virtual networks Virtual networks can connect not only VMs but other Azure resources, such as the App Service Environment for Power Apps, Azure Kubernetes Service, and Azure virtual machine scale sets. * Service endpoints You can use service endpoints to connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resources to virtual networks to improve security and provide optimal routing between resources. ### Communicate with on-premises resources * Point-to-site virtual private networks The typical approach to a virtual private network (VPN) connection is from a computer outside your organization, back into your corporate network. In this case, the client computer initiates an encrypted VPN connection to connect that computer to the Azure virtual network. * Site-to-site virtual private networks A site-to-site VPN links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet. * Azure ExpressRoute For environments where you need greater bandwidth and even higher levels of security, Azure ExpressRoute is the best approach. ExpressRoute provides a dedicated private connectivity to Azure that doesn't travel over the internet. * Peering enables resources in each virtual network to communicate with each other. These virtual networks can be in separate regions, which allows you to create a global interconnected network through Azure. * Connect on-premises datacenters to virtual networks through a site-to-site connection. Connect individual devices to virtual networks through a point-to-site connection. Connect virtual networks to other virtual networks through a network-to-network connection. * Policy-based VPNs Policy-based VPN gateways specify statically the IP address of packets that should be encrypted through each tunnel. This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through. * Route-based VPNs If defining which IP addresses are behind each tunnel is too cumbersome, route-based gateways can be used. With route-based gateways, IPSec tunnels are modeled as a network interface or virtual tunnel interface. * ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure and Microsoft 365. * A site-to-site virtual private network isn't an ExpressRoute model. * ExpressRoute does provide private connectivity, but it isn't encrypted. ## Explore Azure Storage services * Disk Storage provides disks for Azure virtual machines. Applications and other services can access and use these disks as needed, similar to how they would in on-premises scenarios. Disk Storage allows data to be persistently stored and accessed from an attached virtual hard disk. * Azure Blob storage fundamentals Azure Blob Storage is an object storage solution for the cloud. It can store massive amounts of data, such as text or binary data. * Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block and Network File System (preview) protocols. * Hot access tier: Optimized for storing data that is accessed frequently (for example, images for your website). * Cool access tier: Optimized for data that is infrequently accessed and stored for at least 30 days (for example, invoices for your customers). * Archive access tier: Appropriate for data that is rarely accessed and stored for at least 180 days, with flexible latency requirements (for example, long-term backups). * you must create an Azure Storage account before you can use any Azure Storage features. ## Explore Azure database and analytics services * Azure Cosmos DB is a globally distributed, multi-model database service. You can elastically and independently scale throughput and storage across any number of Azure regions worldwide. * Azure SQL Database is a relational database based on the latest stable version of the Microsoft SQL Server database engine. * Azure Database for MySQL is a relational database service in the cloud, and it's based on the MySQL Community Edition database engine, versions 5.6, 5.7, and 8.0. * Azure Database for PostgreSQL is a relational database service in the cloud. The server software is based on the community version of the open-source PostgreSQL database engine. * Azure SQL Managed Instance is a scalable cloud data service that provides the broadest SQL Server database engine compatibility with all the benefits of a fully managed platform as a service. * Azure SQL Managed Instance makes it easy to migrate your on-premises data on SQL Server to the cloud using the Azure Database Migration Service (DMS) or native backup and restore. Explore big data and analytics * Azure Synapse Analytics Azure Synapse Analytics (formerly Azure SQL Data Warehouse) is a limitless analytics service that brings together enterprise-data warehousing and big-data analytics. * Azure HDInsight Azure HDInsight is a fully managed, open-source analytics service for enterprises. It's a cloud service that makes it easier, faster, and more cost-effective to process massive amounts of data. * Azure Databricks Azure Databricks helps you unlock insights from all your data and build artificial intelligence solutions. * Azure Data Lake Analytics Azure Data Lake Analytics is an on-demand analytics job service that simplifies big data. Instead of deploying, configuring, and tuning hardware, you can write queries to transform your data and extract valuable insights. * Azure Cosmos DB supports SQL, MongoDB, Cassandra, Tables, and Gremlin APIs. * Azure Database for MySQL is the logical choice for existing LAMP stack applications. # 3/6 Describe the core solutions and management tools on Azure Azure IoT Hub Azure IoT Hub is a managed service that's hosted in the cloud and that acts as a central message hub for bi-directional communication between your IoT application and the devices it manages. Azure IoT Central Azure IoT Central builds on top of IoT Hub by adding a dashboard that allows you to connect, monitor, and manage your IoT devices. Azure Sphere Azure Sphere creates an end-to-end, highly secure IoT solution for customers that encompasses everything from the hardware and operating system on the device to the secure method of sending messages from the device to the message hub. Azure Machine Learning is a platform for making predictions. It consists of tools and services that allow you to connect to data to train and test models to find one that will most accurately predict a future result. After you've run experiments to test the model, you can deploy and use it in real time via a web API endpoint. Azure Cognitive Services provides prebuilt machine learning models that enable applications to see, hear, speak, understand, and even begin to reason. Use Azure Cognitive Services to solve general problems, such as analyzing text for emotional sentiment or analyzing images to recognize objects or faces. While Azure Machine Learning requires you to bring your own data and train models over that data, Azure Cognitive Services, for the most part, provides pretrained models so that you can bring in your live data to get predictions on. Azure Bot Service and Bot Framework are platforms for creating virtual agents that understand and reply to questions just like a human. Azure Bot Service is a bit different from Azure Machine Learning and Azure Cognitive Services in that it has a specific use case. Namely, it creates a virtual agent that can intelligently communicate with humans. Azure Functions service, you can host a single method or function by using a popular programming language in the cloud that runs in response to an event. An example of an event might be an HTTP request, a new message on a queue, or a message on a timer. Logic Apps is a low-code/no-code development platform hosted as a cloud service. The service helps you automate and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations. Azure Repos is a centralized source-code repository where software development, DevOps engineering, and documentation professionals can publish their code for review and collaboration. Azure Boards is an agile project management suite that includes Kanban boards, reporting, and tracking ideas and work from high-level epics to work items and issues. Azure Pipelines is a CI/CD pipeline automation tool. Azure Artifacts is a repository for hosting artifacts, such as compiled source code, which can be fed into testing or deployment pipeline steps. Azure Test Plans is an automated test tool that can be used in a CI/CD pipeline to ensure quality before a software release. GitHub is a lighter-weight tool than Azure DevOps, with a focus on individual developers contributing to the open-source code. Azure DevOps, on the other hand, is more focused on enterprise development, with heavier project-management and planning tools, and finer-grained access control. Azure DevTest Labs provides an automated means of managing the process of building, setting up, and tearing down virtual machines (VMs) that contain builds of your software projects. GitHub has lightweight project-management features that allow you to assign tasks to a user. Azure Pipelines is a CI/CD tool for building an automated toolchain. It lacks features to assign tasks for individual developers to work on. However, it can automate other tools to assign tasks to users. Azure PowerShell Azure PowerShell is a shell with which developers and DevOps and IT professionals can execute commands called cmdlets (pronounced command-lets). The Azure CLI The Azure CLI command-line interface is an executable program with which a developer, DevOps professional, or IT professional can execute commands in Bash. ARM templates Although it's possible to write imperative code in Azure PowerShell or the Azure CLI to set up and tear down one Azure resource or orchestrate an infrastructure comprising hundreds of resources, there's a better way to implement this functionality. If you or your cloud administrators come from a Windows administration background, it's likely you'll prefer PowerShell. If you or your cloud administrators come from a Linux administration background, it's likely you'll prefer the Azure CLI. The Azure CLI enables you to use Bash to run one-off tasks on Azure. The Azure portal is a great place for newcomers to learn about Azure and set up their first resources. ARM templates are the best infrastructure-as-code option for quickly and reliably setting up your entire cloud infrastructure declaratively. Azure Advisor evaluates your Azure resources and makes recommendations to help improve reliability, security, and performance, achieve operational excellence, and reduce costs. Azure Monitor is a platform for collecting, analyzing, visualizing, and potentially taking action based on the metric and logging data from your entire Azure and on-premises environment. Azure Service Health provides a personalized view of the health of the Azure services, regions, and resources you rely on. If you want to keep tabs on Azure itself, especially the services and regions you depend on, you want to choose Azure Service Health. You can view the current status of the Azure services you rely on, upcoming planned outages, and services that will be sunset. if you want to keep track of the performance or issues related to your specific VM or container instances, databases, your applications, and so on, you want to visit Azure Monitor and create reports and notifications to help you understand how your services are performing or diagnose issues related to your Azure usage. Azure Advisor can alert you when new recommendations are available. Azure Monitor offers alerts, but not for new optimization recommendations. Azure Service Health is not the platform used by Application Insights, nor does it provide monitoring for VMs, containers, and Kubernetes. Azure Monitor is the platform used by Application Insights. # 4/6 Protect against security threats on Azure Azure Security Center is a monitoring service that provides visibility of your security posture across all of your services, both on Azure and on-premises. The term security posture refers to cybersecurity policies and controls, as well as how well you can predict, prevent, and respond to security threats. You can also use adaptive application controls to define rules that list allowed applications to ensure that only applications you allow can run. In the Resource security hygiene section, Tailwind Traders can see the health of its resources from a security perspective. To help prioritize remediation actions, recommendations are categorized as low, medium, and high. Secure score is based on security controls, or groups of related security recommendations. Your score is based on the percentage of security controls that you satisfy. The more security controls you satisfy, the higher the score you receive. Adaptive network hardening Security Center can monitor the internet traffic patterns of the VMs, and compare those patterns with the company's current network security group (NSG) settings. Workflow automation uses Azure Logic Apps and Security Center connectors. The logic app can be triggered by a threat detection alert or by a Security Center recommendation, filtered by name or by severity. You can then configure the logic app to run an action, such as sending an email, or posting a message to a Microsoft Teams channel. Azure Sentinel is Microsoft's cloud-based SIEM system. It uses intelligent security analytics and threat analysis. Azure Monitor Workbooks to automate responses to threats. Azure Key Vault is a centralized cloud service for storing an application's secrets in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities. Some organizations must follow regulatory compliance that requires them to be the only customer using the physical machine that hosts their virtual machines. Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and Linux. ## Secure network connectivity on Azure The principle of least privilege means restricting access to information only to individuals explicitly granted access, at only the level that they need to perform their work. Azure Firewall is a managed, cloud-based network security service that helps protect resources in your Azure virtual networks. Azure DDoS Protection (Standard) helps protect your Azure resources from DDoS attacks. A network security group enables you to filter network traffic to and from Azure resources within an Azure virtual network. You can think of NSGs like an internal firewall. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. Azure Firewall enables you to limit outbound HTTP/S traffic to a specified list of fully qualified domain names (FQDNs). # 5/6 Secure access to your applications by using Azure identity services Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. SSO enables a user to remember only one ID and one password to access multiple applications. Authenticating through multifactor authentication can include something the user knows, something the user has, and something the user is. Role-based access control is applied to a scope, which is a resource or set of resources that this access applies to. You can set the lock level to CanNotDelete or ReadOnly. Azure Blueprints enables you to define the set of standard Azure resources that your organization requires. For example, you can define a blueprint that specifies that a certain resource lock must exist. Azure Blueprints can automatically replace the resource lock if that lock is removed. Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules across all of your resource configurations so that those configurations stay compliant with corporate standards. Azure Blueprints you can define a repeatable set of governance tools and standard Azure resources that your organization requires. The Cloud Adoption Framework for Azure provides you with proven guidance to help with your cloud adoption journey. The Cloud Adoption Framework helps you create and implement the business and technology strategies needed to succeed in the cloud. Tags provide extra information, or metadata, about your resources. The team might create a tag that's named BillingDept whose value would be the name of the billing department. You can use Azure Policy to ensure that the proper tags are assigned when resources are provisioned. The Microsoft Privacy Statement explains what personal data Microsoft collects, how Microsoft uses it, and for what purposes. The Online Services Terms (OST) is a legal agreement between Microsoft and the customer. The OST details the obligations by both parties with respect to the processing and security of customer data and personal data. The Trust Center showcases Microsoft's principles for maintaining data integrity in the cloud and how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. The Azure compliance documentation provides you with detailed documentation about legal and regulatory standards and compliance on Azure. Azure Government is a separate instance of the Microsoft Azure service. It addresses the security and compliance needs of US federal agencies, state and local governments, and their solution providers. Azure China 21Vianet is operated by 21Vianet. It's a physically separated instance of cloud services located in China. Azure China 21Vianet is independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd. The Microsoft Privacy Statement provides information that's relevant to specific services, including Cortana. The Trust Center is a great resource for people in your organization who might play a role in security, privacy, and compliance. The compliance documentation provides reference blueprints, or policy definitions, for common standards that you can apply to your Azure subscription. # 6/6 Azure Azure Cost Management and Service Description Standard The TCO Calculator helps you estimate the cost savings of operating your solution on Azure over time compared to operating in your on-premises datacenter. Azure subscriptions 1. Free trial 2. Pay-as-you-go 3. Member offers Azure status provides a global view of the health of Azure services and regions. If you suspect there's an outage, this is often a good place to start your investigation. The service lifecycle defines how every Azure service is released for public use. After the AR service reaches general availability (GA), the team can roll it out to production. ========= 網路上筆記 AZ-104 Microsoft Azure Administrator (Course Introduction) --------------------------------------------------------------------- https://www.youtube.com/watch?v=YLBqNKitICg&list=PLQupF2rE3mCeSSF5ks8tsGZaRuqvXAOKo Day 1 - Fundamentals of Cloud Computing & Microsoft Azure --------------------------------------------------------------------- https://www.youtube.com/watch?v=IC7DxEFK_NQ Training: Azure 900 fundamentals for education --------------------------------------------------------------------- https://info.microsoft.com/US-AzureApp-CATALOG-FY20-05May-12-TrainingAzure900fundamentalsforeducation-SRDEM15957_CatalogDisplayPage.html?fbclid=IwAR0E3ahbcZfbyiTLhHMS_AAYGUTULGetPLfSb55eLRQMZVobgnBeronXTY0 1. Cloud Concepts : - ------------------------------------------------------------------------------------------------------------------------------- Compute Power - Linux Server, Web app Storage - aNetworking - VPN, Peering Analytics - Visualize Telemetry & Performance Data Key Concepts - High Availability - Ability to keep busniess up and running without or minimum downtime Scalability - To increase or decrease resources to workload Elasticity - Auomatic way of increase or decrease resources to workload Agility - Ability to react quickly Fault Tolerance - Remain running despite failure (Built in Redundancy) Disaster Recovery - Recover from an events that take down a cloud service Global Reach - Reach users all over the world Predictive Cost - Tech Skill - Allow customer to quickly deploy solutions without in-house hardware expertise Increased Productivity - No need to racking and staking of hardware Security - Economies of Scale - Ability to reduce costs while improving efficiency as a result of operating at a large scale. Capital Expenditure (CapEx)- Upfront expenditure on physical infrastructure Operation Expenditure (OpEx)- No upfront cost pay as you go model All cloud providers are OpEx model Consumption based model - Incur no up-front cost Costly infrastructure not needed. Pay for additional resources as needed. Stop paying for resources that no longer needed. Public Cloud - No Capital expenditure Increased Agility Pay as you go model / OpEx model No maintenance required Fewer in-house skill needed. Less Control over security Unmet compliance requirement Lack of ownership can be seen as disadvantage Private Cloud - Control - Retained by org. Security - Controlled by org. Compliance - managed by org. Upfront CapEx cost Less Agile Maintenance and skillset needed. Hybrid Cloud - Flexible solution Cost Management Security & Control Compliance Upfront CapEx Maintenance and Skillset needed Management Complexity Share Responsibility Model - IaaS - Costs : No upfront Pay as you go User Ownership : Customers are responsbile for purchase installation configuration and management of their own OS app & Middleware Cloud Provider Ownership : Cloud provider is responsible for underline infrastructure Common Use Case : Workload Migration , Dev & Testing , Website Hosting, Backup & Recovery PaaS - Provide an env that can be used to quickly build test and deploy app. No need to concern abt infrastructure Costs : No upfront Pay as you go User Ownership : Customers are responsbile for their own app development. Customers are not responsbile for managing infrastructure or Servers Cloud Provider Ownership : Cloud provider is responsible for OS management network service configuration Cloud provider is responsbile for everything except application that customer want to run. Common Use Case : Development Framework, Analytics and BI, SaaS - SaaS provides centrally hosted and managed software for end users.Who access software over internet Eg. MS-Office 365, Emails., MS-Team, MS dynamic CRM online Costs : No upfront Subscription based User Ownership : Customers only uses app Customers are not responsbile for managing and maintenance of app Cloud Provider Ownership : Cloud provider provides provision management of app Common Use Case : Development Framework, Analytics and BI, 2. Core Azure Services and Products : - ------------------------------------------------------------------------------------------------------------------------------- Azure Compute Service - VM, Scale Set, App Service, Azure Functions Azure Container Service - Container Instance, Azure K8, Azure Network Service - Virtual Network, LB, VPN Gateway, App Gateway, CDN (Content Delivery Network) Azure Data Catagoies - Azure Storage Service - Disk Storage, Azure Blob, Azure file, Cube, Tables Azure Database Service - Cosmos DB,Azure SQL DB, Azure Migration Tool, Management Tools - MarketPlace - Core Architecture Concept - Region - Collection of DataCenter Provide flexibility and Scale Preserve data residency Regions offer compliance and resiliency Global Service - Azure Active Directory Azure Traffic Manager Microsoft Azure DNS Region Pair - 300 mile seperation between datacenter in a regional pair Physical Isolation Platform - Provided replication Priority Recovery Sequential Updates Data Residency Geographies - Typically contain two or more region Categorized - Americas , Europe, Asia Pacific, Middle East, Africa Availibilty Option - Single VM (99.9 with premium storage) Availability Set (Fault Domain - Protecting against failure within DataCenter) (99.95) Availability Zone ( AD - Protection from Entire DataCenter ) (99.99) Region Pairs (Multi Region Disaster Recovery) Availability Set - Keep application online during maintenance or Hardware Failure Update Domin - Scheduled maintenance, performance or security updates are sequenced through update domain Update domain is logical section of a particular data center Fault Domain Create physical separtion of workloads across different hardware within Datacenter Availability Zone - Physical seperate locations within an Azure region. Resource Group (Compartment)- Is a logical management grouping of resources in Azure Container for multiple resource that share same life cycle Aggregate resources into single manageable unit Metering & Billing at resource group level Apply and manage policies at resource group level Monitoring and Alerts at resource group level Quota management at resource group level Access Control at resource group level Each resource belong to single resource group, It cant belong to multiple resource group Resource group can contain resources reside in different region Azure Resource Manager - Provide management layer that enables to create update delete resource in your azure subscription. Automation Tool Power Shell, Azure CLI, Azure Portal Rest API, Client SDK Azure Compute Service - Azure VM Virualized version of a physical server Used also for container and kubernetes OS Disk option - Standard HDD,Standard SSD, Premium SSD Data Disk - VM Scale Set A set of identically - configured virtual machines Support true autoscale Scale manual or automatic or combination of both App Server is a PaaS offering to build,deploy and scale enterprise grade web mobile and API apps Fully managed platform No infrastructure maintenance Azure Funtion A code only section Often used when you need to perform some task based on event/message/timer from other resources. Azure Container Service - Azure support Docker container and Microsoft container Azure Container Instance A PaaS offering that allows you to upload your container Azure Kubernetes Service A container orchestrator service for managing large numbers of containers Azure Network Service - Azure Virtual Network Azure Virtual Network allows several type of Azure resources like Azure VMs to securely communicate with one another with internet and with on prim networks Scoped to Single region Connect multiple Virtual Networks from different regions using virtual network peering Provide isolation, segmentation,communication with on-prim and cloud resource You can also route and filter network traffic Content Delivery Node Distributed network of Servers Used to share more efficiently web content to users Load Balancer Scale applictions and create high availability Support inbound and outbound scenerios load balance incoming internet traffic and internal traffic across azure resource Port forwarding specific traffic VPN Gateway VPN Gateway is virtual network gateway that use to send encrypted traffic over internet between on prim and azure virtual network Application Gateway Is Web traffic Load Balancer that you can use to manage traffic to your web application When user connect to web application through app gateway you can route traffic based on the source IP add and port to dest ip and port Include WAF (Web Application Firewall) Added feature - Session affinity & redirection Azure Data Categories - Structure Data - Relational Database Semi-Structure Data - NoSQL Database JSON HTLM UnStructure Data - PDF Vedios Image Azure Storage Service - (To avail Storage Service need to create Storage Account first.) Disk Storage (IaaS) Persistence hard disk that VMs App Services can access Two flavors - Managed and Unmanaged Avaiable in Different size and performance (Standard HDD,Standard SSD, Permium SSD) Disk available local to Servers Containers / Blob Storage (PaaS) Object storage solution Optimized for storing lot of unstructured data You need to store image and doc or Database backup, Streams files File Storage (IaaS) (NFS via SMB protocol) Setup highly available network file share Access from anywhere with SMB Protocols Azure files can be accessible from anywhere in the world using URL that points to file and include a shared access signature (SAS) token Azure Queue (PaaS) Store and retrieve messages, Message can be upto 64K in size. Queue are normally used to store lists of messages that need to be processed async Azure Table (PaaS) NoSQL Data store Designed for large amounts of structured (non relational) data Scale to petabytes of data Azure Database Service (Paas)- Azure Cosmos DB Is a globally distributed database service that enables you to elastically and independently scale throughput and storage Can be used to store data that is updated and maintained by users all over world. Azure SQL Database Is a relational database as a service (DaaS) based on latest stable version of the Microsfot SQL Service database engine Fully managed services hence no need to maintain underlines infrastructures Azure DB Migration Service Service use Microsoft Data Migration Assistance (MDMA) Azure Database for MySql Azure Database for PostgreSQL Azure Database for MariaDB Azure Cache for redis SQL Server on Virtual Machine Azure Synapse Analytics Reincarnation of Azure SQL Database Warehouse plus new features and functionality Combines DataWarehousing and Big Data Analytics 4 components - SQL Analytics , Spark , Data Integration, Studio Azure Data Explore Table Storage Key Azure Management Tool - Azure Portal CAn be accessible through link over internet Does not offer a way to automate repetative tasks Azure Advisor Its free service that built into Azure and its provides recommandations on high availability , security , performance and cost Azure PowerShell Most used command line tool Azure Powershell need window power shell to run connect to azure subscription Eg - New-AzVm -ResourceGroupName "" -Name "" -Image "" Azure CLI A cross platform command line program (can be run on window linux macos) that you can use to connect Azure to execute admin commands againt Azure resources. Eg - az vm create --resource-group "" --name "" --image "" generate-ssh-keys Azure Cloud Shell Browser based scripting env Azure Mobile App Azure REST API Service endpoint that support set of HTTP operations or methods. PRovide create update delete retrieve access to the services resources Rest API define set of functions that developer can use to perform request and receive response via HTTP protocol like get and posts Azure MarketPlace - Connect end users with Microsoft partners, Independent Software Vendor (ISV) and startup that offer solutions and services for Azure 3. Azure Solutions : - ------------------------------------------------------------------------------------------------------------------------------- IOT (Internet of Things) Ability to use devices to collect data and then to relay that data to a hub for further analysis Azure IOT Central Is a fully managed global IOT SaaS solutions that makes it easy to connect monitor and manage your IoT assests at scale Azure IOT Hub Is a managed service hosted in Azure that acts as a central message hub for bidirectional communication between IoT application and devices IOT hub support mutilple messaging pattern to control your IOT from the cloud. file upload from devices device to cloud telemetry request-reply methods IOT Hub monitoring help org. to maintain health of their IoT solutions by allowing them to track event like creation failure Big Data & Analytics Azure SQL DataWarehouse Is a cloud based enterprise DataWarehouse that leverages massively parallel processing(MPP) to run complex queries across petabytes of data Azure HDInsight Is an open source analytics service for enterprises that make it easier to process massive amount of data Fast and more cost effective than Traditional solutions Azure HDInsight support popular open source framework and cluster type like Apache Hadoop Apache Spark Apache Kafka Azure HDInsight also support ETL,Datawarehouse,IOT, Machine Learning Azure DataLake Analytics Azure Datalake Analytics is an on-demand analytics job service No infrastructure setup needed. Just write queries to transform data and extract insight from it. Scale up or down by choosing how much power that you needed. And Pay only when job is running Azure DataBricks Azure DataBricks is an Apache Spark analytics platform that optimizied specially for MS-Azure Its tightly integrated with Azure and provide one click setup , Streamlined Workflows, Example - Data can be ingested into Azure in batch through Azure DataFactory or it can be streamlined using Event Hub or IOT Hub that data landed in DataLake or Blob Storage using Azure DataBricks as a part of analytics workflow you can read that data and create insights using SPARK Use DataBricks to read data from multiple DataSource like Blob Storage, DataLake, Cosmos DB, SQL Datawarehouse Artifical Intelligence A wide range of services including Machine Learning which is consider as core service Machine Learning Is a technique that allows computers to leverages existing data to forecast future behaviours or outcomes Azure Machine Learning Provide cloud based env used to develop, train, test, deploy , manage and track machine learning models Azure Machine Learning support open source Azure Machine Learning Studio Azure Machine Learning Studio is a collaborative drag and drop visual workspace where you can build and test and deploy machine learning solutions without needing to write code Serverless Computing Configure Serverless app to response to certain events like Event,Message for periodic Timer Azure Funtion Azure funtion is code running your service and not the underlying platform or infrastructure Perfect solution when demand is variable Azure funtion is stateless, if State need to preserve Azure Function can be connected with Azure Storage service Azure Event Grid Is a fully managed intelligent event routing service that uses a publish subscribe model for uniform event consumption Built in support for event coming from Azure Services like storage blob and resource group Support custom non-Azure based event in near real time via custom topic Azure Logic Apps Is a cloud service that helps you to automate and orchestrate tasks, business process, and workflows when you need to integrate app, data,systems,services Simplifies the design and build out of scale solutions Designed in a web based designed so can be designed to execute based on event without writing extra code Azure Devops Azure Devops Services provides development collabortion tools inclduing piplines, Git Repositories, Kanban boards, and extensive automated and cloud-based load testing Azure DevTest Lab Service Allow you to quickly create env. in Azure while minimizing waste and controlling costing Azure Sphere A comprehensive IoT solutions that provide a secured, connected microcontroller unit (MCU), a custom linux based OS and a Cloud-based security service Its combination of Hardware Software & Security You can use Azure Sphere MCU its OS and its application platform to create secured, internet connected devices that can be updated, controlled monitor and maintained remotely,. Azure App Service Quicky and easily build web and mobile app for any platform or devices. Its allow you to not only build and host web app but also build and host mobile back end and RestFull API Advantage Multiple language and framework Devops optimization Global Scale with HA Connection to SaaS and on prim data Security and Compliance Application Template Visual Studio integration API and Mobile features Serverless Code 4. Security Privacy Compliance and Trust : - ------------------------------------------------------------------------------------------------------------------------------- Azure FireWall Azure DDOs Protection Network Security Group Application Security Group Security Posture define by 3 main principles Confidentiality : Principle of least priviliges Integrity : Prevention of unauthorized changes to information Availability : Ensure services remain online to authorized users Defense in Depth Layer approach Physical Security - Physical Access to Data center Identity and Access Management - Control access to infrastructure and change control Perimeter - DDOS protection Network - User segementation and Access control to limit communiction between resources Compute - Secure access to VM Application - Individual app is secure Securing Network Connectivity Azure FireWall Microsoft Managed network security Service in Azure that protects Azure Virtual Network resources Uses a Static public IP to represent the virtual network resources behind it Fully integrated with Azure Monitor Built in HA Unrestricted cloud scalability inbound and outbound filtering rule Azure monitoring logging Deloying Azure Firewall on central virtual network allow you to control general network access Azure Firewall allows you to configure application rules that control which FQDN can be access from subnet Azure DDOS Protection Two Tier Basic : Is automatically enabled in Azure Standard Network Security Group (NSG) Filter network traffic to and from Azure resources connected to Azure Virtual Networks Consists of inbound and outbound rules to filter traffic to and from resources by source and dest ip , port, protocols Application Security Group (ASG) Configure Network Security as an extension of an applictions structure When you use ASG you can group servers with similar port filtering requirement and group together servers with similar function such as web server Perimeter - Azure DDOS Protection + Azure Firewall NEtwork Layer - NSG You can combine NSG + Azure Firewall Application Gateway + WAF + Azure Firewall Core Azure Identity Services Azure Active Directory Azure Active Directory is Microsoft Azure based identity and access management service Authentication Single Sign On Application management : Manage appliction both on prim and on cloud using Azure AD Proxy , SSO Business to Business (B2B) : Manage guest users and external patners Business to Customer (B2C) : Customized how user sign on Device management Azure MFA (Multi Factor Authentication) Provide added security for user authentication by requiring two or more elements for authentication Security Tools & Feature Azure Security Center Is Azure based monitoring service and Used to provide threat protection for services in Azure and on premises Continously monitors all services and perform automatic security assesment Uses ML to detect and block malware Allows you to whitelist applictions that you need to run Analyze and identify possible inbound attacks and investigate threat Two Service Tier - Free & Standard Azure Key Vault Stores application secrets in a centralized cloud location to securely control access permissions and access logging Use Case Secret management Key Management Certificate Management Store secrets backed by HSM (Hardware Security Module) Azure Information Protection Classify and proctect documents and emails by applying labels Azure Advanced Threat Protection (ATP) Microsoft security solution that is used to identify detect and investigate advanced threat and compromised identities Also used to track down malicious insider action that are directed at a org. Made of 3 components Azure ATP Portal : Dedicated portal for monitoring and responding to suspicious activity Azure ATP Sensor : Sensor installed directly on domain Controller Azure ATP Cloud Service : Cloud service runs in Azure Azure Sentinel A Cloud based solution that offers Security Information Event Management (SIEM) & Security Orchestration Automated Response (SOAR) Provide intelligent security analytics and threat intelligence across the enterprise All in one solution for Alert Detection , Threat Visibility, poractive hunting, Threat response Collect data at cloud scale across all users, devices, application and infrastructure that reside both on prem and multiple cloud Connect Existing data source using available data connector including ATP , Microsoft 365, Azure AD, Microsoft Cloud App Security Azure Governance Methodologies Azure Policies Used to create , assign, and manage policies that enforce different rules and effect over resources Include several built in policy and initiatives Azure Policy can also be integrated with Azure Devops Implementing Azure Policies Create defination - Define what needs to be evaluated and what action to take Assign Defination - Policy defination that been assgned to a specfic scope Review Results - Policy evalution happens once an hour Policy Initiatives Initiative Defination : Group multiple policy defination into single unit Initiative assignment : Are assigned to a specific scope and reduce the need to create Initiative Defination for each scope Role Based Access Control (RBAC) Provide fine grained access managed for Azure resource Resource Lock Used to prevent accidental deletion or modification of Azure resources. Locks are managed within Azure Portals Azure BluePrint Used to define repeatable sets of Azure resources that implement and adhere to standards , patterns , and requirement Monitoring & Reporting Azure Tag Used to logically organized your Azure resources Azure Monitor Allow you to collect , analyze , and act upon telemetry from both cloud and on-prem evn. Monitoring data that you collect for applications is split out into several bucket or tiers Monitoring Data Guest OS Monitoring Data Azure Resource Monitoring Data Azure Subscription Monitoring Data Aure Tenant Monitoring Data Azure Service Health Provides personalized guidance and support whenever issues with Azure Services effect you Three Key components of Azure Service Health Azure Status : Global view of the health of Azure Service Service Health : Customizable Dashboard to track the state of your Azure service, Track active event like ongoing service issues, upcoming planned maintenance, or Health Advisory Azure Resource Health : Helps you diagnoise issues , Obtain support when an Azure Service issue affect your resources Monitoring Apps & Services Data monitoring only helps you if you can use it to gain visibility into the operation of your computing env. You can integrate Azure Monitor with other Azure Services to improve data monitoring and to gain better insight into operation Features of Azure Monitor are organized into four key categories Analyze : Azure Insight (for Webapp) , Azure Monitor for Container , Azure Monitor for VM Response : Email and Text (Alert) , Automated Process (AutoScale) Visualize : Integrate : Privacy, Compliance and Data Protection Microsoft Privacy Statement Trust Center Is a website that provides information and details that outline how Microsoft implment and support Security, Privacy, compliance and transparency in all Microsoft cloud product and service Security Trust Portal (STP) STP hosts the Compliance Manager service. Its where Microsoft publishes audit reports and other compliance related info. Use STP to download Aduit Reports Compliance Manager A workflow based risk assessment Dashboard within the Trust Portal used to Track , Assign, and verify regulatory compliance activities Risk Assessment Provide recommandation Azure Government Service Address the security and compliance need to many federal agencies in US, State and Local Government and their solution provider Azure China 21Vianet 5. Azure Pricing & Support ------------------------------------------------------------------------------------------------------------------------------- Azure Subscription Azure subscription is logical unit of Azure Service its link to Azure Account which is identity in Azure AD Account can have one subscription or it can have multiple subscription Eg, Azure Account has 1. Dev subscription , Test subscription , Prod subscription Azure Subscription can be used billing boundary or Access control boundary (Azure applies access management policies at subscription level) Select an Offer Pay as you go Dev/Test Visual Studio Enterprise : BizSpark Visual Studio Professional Organization Sturcture The organization structure for resources in Azure consist of four levels Management Group - Container that help you manage access policy and compliance for multiple subscription Subscription - Group together user account and resources that have been created by those user accounts Resource Group - Is a logical container that you deploy resources to Resource - Instance of services that you create Planning & Managing Cost 3 Key kind of Customers Enterprise Customer - Pay azure custom prices and pay yearly Web Direct Customer - Pay public prices and pay monthly Cloud Solution Provider (CSP) - Microsoft partner that been selected to build Azure Solutions Factors that Affect Cost Resource Type Service Location Zone and Billing Data transfers into Azure datacenter is free Outbound data transfer cost money, Outbound data cost are based on Zones, Zone is geographical grouping of Azure region - Zone1, Zone2, Zone3, DE Zone1 Azure Pricing Calculator TCO Calculator (Total Cost of Ownership) Allows you to estimate cost saving that you can realize by migrating your workloads to Azure Minimizing Cost Cost Analysis - Use Azure Price Calculator & TCO Calculator Monitor Usage - Azure Advisor unused and under utilized resources and make recommadations Spending Limits - Designed to help prevent you from exhausting the credits on your account within each billing period Reservation - Discounted prices on certain products / resources if you pay in advance Location / Region - Choose low cost location and region when deploying resource Cost Saving offers - Stay up to date with latest Azure customer and subscription offers Leverage Tags - Apply tags to resources and use those tags to Organize billing data Azure Cost Management A set of tools that you can use to monitor , allocate and optimize your Azure Costs Budget Alerts, forcast future usage Azure Support Options Basic Support Developer Support Standard Support Professional Direct Support Alternative Supports Channels MSDN Azure forums Stack OverFlow Server Fault Microsoft Azure General Feedback @AzureSupport (Twitter) Knowledge Center Service Level Agreement Describe how microsoft will respond in the event of Azure product of service failure that result in missed SLA Application SLA Azure customers can use application SLA to evaluate how their own Azure solution are meeting their business requirement Service Life Cycle in Azure Public & Private Preview Feature Micrsoft offers previews of certain Azure serivces,features and functionality. Through Azure Preview you can test these pre-release offerings Private Preview Available to certain Azure customers Public Preview Available to all General Availability Once a feature is evaluated and tested successfully, it may get released to customers Azure Updates Provide latest information about updates to Azure products , services feature, product roadmaps === 官網題目 2022/11/7 Read-only geo-redundant storage RA-GRS allows you to have higher read availability for your storage account by providing ג€read onlyג€ access to the data replicated to the secondary location. This is the most basic category of cloud computing services. With IaaS, you rent IT infrastructure—servers and virtual machines (VMs), storage, networks, and operating systems—from a cloud provider on a pay-as-you-go basis. The basic advantage of cloud computing is shifting your high Capital Expenditure (CAPEX) requirements to optimal Pay -As-You-Go model which is Operational Expenditure (OPEX) Machine Learning Studio (classic) is a drag-and-drop tool you can use to build, test, and deploy predictive analytics solutions. https://docs.microsoft.com/bs-cyrl-ba/azure/machine-learning/classic/ ARM template. https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview Azure DevTest Labs. A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. Azure Government is the mission-critical cloud, delivering breakthrough innovation to US government customers and their partners. Only US federal, state, local, and tribal governments and their partners have access to this dedicated instance. Azure AD Identity Protection. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-sign-in-risk-policy Traditionally, IT expenses have been considered a Capital Expenditure (CapEx). Today, with the move to the cloud and the pay-as-you-go model, organizations have the ability to stretch their budgets and are shifting their IT CapEx costs to Operating Expenditures (OpEx) instead. This flexibility, in accounting terms, is now an option due to the ג€as a Serviceג€ model of purchasing software, cloud storage and other IT related resources. When an Azure virtual machine is stopped, you don't pay for the virtual machine. However, you do still pay for the storage costs associated to the virtual machine. The most common storage costs are for the disks attached to the virtual machines. There are also other storage costs associated with a virtual machine such as storage for diagnostic data and virtual machine backups. When you are implementing a Software as a Service (SaaS) solution, you are responsible for configuring the SaaS solution. Everything else is managed by the cloud provider. Fault tolerance is the ability of a system to continue to function in the event of a failure of some of its components. Azure App Service -> PaaS Azure Storage -> PaaS Azure Storage ACCOUNTS -> IaaS https://azure.microsoft.com/en-us/overview/what-is-iaas/ Azure App Service is a platform-as-a-service (PaaS) offering that lets you create web and mobile apps for any platform or device and connect to data anywhere, in the cloud or on-premises. App Service includes the web and mobile capabilities that were previously delivered separately as Azure Websites and Azure Mobile Services. References: https://docs.microsoft.com/en-us/azure/security/fundamentals/paas-applications-using-app-services Azure virtual machines are Infrastructure as a Service (IaaS). Azure SQL databases are Platform as a Service (Paas). First, The question is not asking to get ride of the already existing on-premise server. Second, we need to optimize the service as well as cutting the cost. So using little bit of the cloud (cheaper) in addition to the physical servers we have. which is Hybrid approach. Azure Site Recovery helps ensure business continuity by keeping business apps and workloads running during outages. Site Recovery replicates workloads running on physical and virtual machines (VMs) from a primary site to a secondary location. Fault tolerance is the ability of a service to remain available after a failure of one of the components of the service. For example, a service running on multiple servers can withstand the failure of one of the servers. Disaster recovery is the recovery of a service after a failure. For example, restoring a virtual machine from backup after a virtual machine failure. Dynamic scalability is the ability for compute resources to be added to a service when the service is under heavy load. For example, in a virtual machine scale set, additional instances of the virtual machine are added when the existing virtual machines are under heavy load. Latency is the time a service to respond to requests. For example, the time it takes for a web page to be returned from a web server. Low latency means low response time which means a quicker response. Azure web app, Azure logic app and Azure SQL database are all examples of Platform as a Service (Paas). B: Microsoft have no control over the applications you run on the virtual machines. Therefore, it is your responsibility to ensure that application data is backed up. D: Microsoft do not manage the operating systems you run on the virtual machines. Therefore, it is your responsibility to ensure that the operating systems are updated. E: Microsoft have no control over the shared folders you host on the virtual machines. Therefore, it is your responsibility to ensure that folder permissions are configured appropriately. A hybrid cloud is a combination of a private cloud and public cloud. Therefore, to create a hybrid cloud, you must deploy resources to a public cloud. You cannot add physical servers to the public cloud. You can only deploy virtual servers in the public cloud. You can extend a private cloud by deploying virtual servers in a public cloud. This would create a hybrid cloud. Q#23/PAGE4: "A Platform as a Service (PaaS) solution provides additional memory to apps by changing pricing tiers." --> ANSWER:NO Q #31/PAGE7: "A platform as a service (PaaS) solution that hosts web apps in Azure can be provided with additional memory by changing the pricing tier." --> ANSWER: YES Each resource can exist in only one resource group. Resources from multiple different regions can be placed in a resource group. The resource group only contains metadata about the resources it contains. https://azure.microsoft.com/en-us/overview/what-is-saas/ https://azure.microsoft.com/en-us/overview/what-is-iaas/ https://azure.microsoft.com/en-us/overview/what-is-paas/ Azure Cosmos DB is an example of a platform as a service (PaaS) cloud database provider. Building a data center infrastructure is capital expenditure, not operation expenditure. OpEx is ongoing costs (costs of operations) such as leasing software. If you purchased software as a one-off purchase, that would be CapEx, but leasing software is ongoing so it's OpEx. custom app in first-line tells that it can,t be SaaS. Multiple installations in last line of the question tells that its can't be PaaS. In pAAS , u dont install stuff, only application files and data are to be given in Paas. option left IaaS. Platform as a service (PaaS) is a complete development and deployment environment in the cloud. PaaS includes infrastructure ג€" servers, storage, and networking ג€" but also middleware, development tools, business intelligence (BI) services, database management systems, and more. PaaS is designed to support the complete web application lifecycle: building, testing, deploying, managing, and updating. However, virtual machines are examples of Infrastructure as a service (IaaS). IaaS is an instant computing infrastructure, provisioned and managed over the internet. Azure Cosmos DB is a fully managed platform-as-a-service (PaaS). IaaS - > Azure Virtual Machine ,Azure Storage Account PaaS -> Azure App service, Azure SQL Database,Azure Cosmos DB,Azure Synapse Analytics SaaS -> Qutlook email , Calendar , Microsoft Office 365 SaaS provides a complete software solution which you purchase on a pay-as-you-go basis from a cloud service provider. You rent the use of an app for your organization and your users connect to it over the Internet, usually with a web browser. All of the underlying infrastructure, middleware, app software and app data are located in the service provider's data center. The service provider manages the hardware and software and with the appropriate service agreement, will ensure the availability and the security of the app and your data as well. https://azure.microsoft.com/en-gb/overview/what-is-iaas/ https://azure.microsoft.com/en-gb/overview/what-is-paas/ https://azure.microsoft.com/en-gb/overview/what-is-saas/ Virtualization is the key to cloud computing, since it is the enabling technology allowing the creation of an intelligent abstraction layer which hides the complexity of underlying hardware or software.  Simply put, cloud computing is the delivery of computing servicesג€"including servers, storage, databases, networking, software, analytics, and intelligenceג€"over the Internet (ג€the cloudג€) to offer faster innovation, flexible resources, and economies of scale. You set up disaster recovery for Azure VMs using Azure Site Recovery. Vertical scaling, also known as scale up and scale down, means increasing or decreasing virtual machine (VM) sizes in response to a workload. Compare this behavior with horizontal scaling, also referred to as scale out and scale in, where the number of VMs is altered depending on the workload. All Azure resource types have a scope that defines the level that resource names must be unique. A resource must have a unique name within its scope. It seems that in these questions designed by Microsoft it always follows this thinking pattern: Regions > Zones > Data Centre. When you see a question like this with the keyword Zone AUTOMATICALLY you think protecting or managing data centers!