# Acloud guru AZ-900 1. Introduction - Azure Advisor - Save cost and increase infrastructure reliability  - ARM template 2. Cloud Compute - The language of Cloud Computing - High Availability: VMs can spin up fast to help process requests. - Fault Tolerance : Resilience, Zero Down-Time - Disaster Recovery : Catastrophic Disaster, Plan to Recover, Specific Points - Scalability : add more resources when needed (scaling out = same type, scale up = upgrade, scale down = downgrade) - Elasticity: ability to quickly expand or decrease computing resources, not just VMs. (Scaling) - Agility: the ability to rapidly develop, test and launch software applications that drive business growth - The Economy of Cloud Computing - Capital Expenditure : money spent by a business or organization on acquiring or maintaining fixed assets. Large upfront investments - Operational Expenditure: ongoing cost for runnig a product, business, or system on a day-to-day basis, inc luding annual cost. Pay as you go - Consumption-based pricing let's you pay only for what you use - Cloud Service Models - Infrastructure-as-a-Service - Platform-as-a-Service - Superset of IaaS - PaaS supports web application life cycle - Avoids software license hell - Software-as-a-Service - Providing a managed service - Pay an access fee to use - No maintenanace and latest features  - Serverless - Extreme PaaS  - Table difference  - Shared responsibility Model -  - Azure Marketplace - Azure Marketplace is:  - Benefits:  - Cloud Architect Model - Private Cloud is Azure on your own hardware in a location of your choice. - Public Cloud is Azure, AWS, GCP. - Hybrid Cloud model is the best of private and public, but could be complex 3. Azure Architecture - Region and AZ - Region Definition - A set of data center - Latency defined perimeter - Regional low-latency network - How to choose a Region - choose a region closest to your user - some features aren't in all regions. - Price of services vary from region - Paired Region - Each Region is paired - If the primary region has an outage you can failover to secondary region (Outage Failover) - Planned Updates (Only one region in a pair is update at any one time) - Replication - AZ - Physical Location - Independent - Zones (each region minimum 3 zones) - Resource Groups and Azure Resource Manager - Resource Group Facts - One resource can only exist in a a single resource group - Can add or remove resources to an resource group at any time - You can move a resource from one resource group to another - Resource from multiple regions can be in one resource group - Can give users access to a resource group and everything in it - resource group can interact with other resources in different resources groups - resource group has a location or regions as it stores meta data about the resources in it - Azure Resource Manager (ARM) - not only contain vm but also component of vm (ip for example)  4. Compute - Virtual Machines - A virtual machine is you machine exclusively - You don't buy, own or control any hardware - Virutal machines are an **IaaS** offering - Azure virutal machine take adavantage of Azure tools - Pricing goes up as resources go up and pay by hour - Scale Sets (Auto scaling in AWS equivalent) - Group of identical, load balanced VMs - Benefits  - Examtips - Scale sets are identical VMs and can be activated or deactivated as needed - A baseline VM for the scale set ensures application stability. A baseline VM is what you copy to make up the scale set VMs. - As resource usage increases, more VMs are activated to take the load. - You only pay for the VM, storage and networking resources you use. Nothing additional for scale sets. - App Services - Comes in three category - Web Apps - Run on both windows and linux platform - suport a lot of programming language - Azure integration for easier deployment - Auto-scaling and load balancing - Web Apps for Containers - Deploy and run containerize applications in Azure - API Apps - Expose and connect you data backend - App services are a PaaS offering - Azure Container Instances (ACI) - Primary Azure service for running container workloads - On Demand = Save $$$ - Works with your tool of choice - Azure Kubernetes Service - Kubernetes is an open-source container orchestration system for automating application deployment, scaling and management - Benefits: - Replicate Container Architectures - Standar Azure Services Included - Global Reach - Azure Container Registry(ACR) - Keep track of current valid container images - Manages files and artifacts for containers - Feeds container images to ACI and AKS - Use Azure identity and security features  - Azure Virtual Desktop - Azure Virtual Desktop is a completely virtualized version of Windows - Benefits - Reuse Windows 10 license - Concurrency (multiple users can use same VM) - Access anywhere on any device with an internet browser - Secure Data - Azure Functions - Benefits - Only runs when neede - saves money - resilence 5. Networking - Virtual Network (VNet) - Address Space (mirip CIDR) - Subnets - Resource Grouping - Address Allocation - Subnet Security - Subenet Regions and Subscription - A VNet belongs to a asingle region. Every resource on the VNet must be in the same region too. - A VNet belongs to just one subscription , but a subscription can have multiple VNets - Cloud Advantages - Scaling : Adding more VNets or more addresses to one is simple - High Availability : Peering VNets, using a lod abalancer, or using a VPN gateway all aincrease availability - Isolation : Manage and organize resources with subnets and network security groups - VNet Peering - Use Azure backbone network and not through public network - Benefits : Low latency, high bandwith ; Link Seperate Networks ; Data Transfer between subscriptions and deployment models - Load Balancer - Load Balancer distributes new inbound flows that arrive on the Load Balancer's frontend to backend pool instances, according to rules and health probes. - Inbound FLows : traffic from the internet or local network - Frontend : the access point for the load balancer. All traffic goes here first - Backend Pool : The VM instances receiving traffic. - Rules and Health Probes : Checks to ensure backend instance can receive the data - Scenario: Internet Traffic, Internal Networks, Port Forwarding, Outbound Traffic (allow outbound connectivity for backend pool VMs) - VPN Gateway - Main components - Azure VNet with VPN Gateway attached which has own public ip - Secure connection called tunnel - On premise network that has complementary gateway that can accept encrypted data - All main component called **site-to-site connection** - VPN Gateways are instrumental in a hburid cloud architecture - VPN Gateway is a specific VNet Gateway. It consists of two or more dedicated VMS. - VNet Gateway + "vpn" becomes VPN Gateway - Sends encrypted data between Azure and on premises network - Application Gateway - Specific Routing to send traffic to specific machines  - Benefits - Scaling - Encryption - Zone Redundancy - Multi-Site Hosting : Use the same application gateway for up to 100 websites - It works on the HTTP request of the traffic, instead of the IP addresss and port - Traffic from a specific web address can go to a specific machine - Is a fit for most other Azure services. - Content Delivery Network - Benefits - Better Performance - Scaling - Distribution : Edge servers will serve requests closest to the user. - Terminology - Cache - Origin Server (master copy of your server) - ExpressRoute - if there's a scenario where the dat is on-premises and on Azure, need to be highly available and periodically migrated, you might need ExpressRoute - Express route don't go through public internet - if you need private, high bandwidth, low latency connetion from your on-prem to Azure, ExpressRoute might be suitable 6. Storage - Introduction - Storage Account = Unique Azure Namespace ( Every object in Azure has its own web address) - Blob - Binary Large Object - Storage Level - Storage Account -> Container -> Blob storage - Scenarios - Images - All types - Streaming : Stream audio and video directly from your blob storage - Log Files - Data Store - Blob Types - Block : Store text and binary dta up to 4.7TB. Made up of individually managed blocks of data - Append : Block blobs that are optimized for append operations. Works well for logging where data is constantly appended - Page : Store files up to 8TB. Any part of the file could be accessed at any time, for example a virtual hard drive - Pricing Tiers - Hot : Frequently accessed files - Cool : Lower storage costs and higher access times. Data remains here for at least 30 days. - Archive : Lowest costs and highest access times - Disk (EBS in AWS) - Managed Disk - Azure Manages : don't have to worry about backup and uptime - Size and Performance : Microsft and Azure guarantess size and performance as per your agreement with them - Upgrade : Easy to upcgrade your disk size and type - Disk Types - HDD : low cost and suitable for backups - Standar SSD : standard for production. Higher reliability, scalability and lower latency over HDD - Premium SSD : Super fast and high performance. Use for critical workloads - Ultra Disk : For most demanding, data - intensive workloads. Disk up to 64 TB (complex analytical workload or gaming) - File - Benefits - Sharing : share access to Azure file storage across machines and provide access to your on-premises infrastructure - Managed : don't have to worry about hardware or operating system - Resilient : Network and power outages won't affect your storage - Scenarios - Hybrid : supplement or replace your existing on-premises file storage solution - Lift and Sight : Move you existing file storages and related services to Azure - Archive (Glacier in AWS) - Overview - Requirement : Policies, legislation and recovery can be requirements for archiving data. These can be very large amounts of data - Lowest Price : The archive tier is the lowest price for storage on Azure. A few dollars a month can get ou terabytes of space. - Features : Durable, encrypted and stable. Perfectly suited for data that is accesssed infrequently. - Free Up Premium Storage - Secure - Blob 7. Database - CosmosDB - Global From the Go - NoSQL Database - Synchronization - Easy with Cosmos - One click to Add Regions : very easy to expand to more regions with Cosmos DB and have the data stay sync - Continued Synchronization - Latency - 0-9 miliseconds - Scalability - Automated : automatically scales to meet resource demand - Infitinte Resources - Lowest Price : only pay what you use - Connectivity - Developer : SDK and API - Languages : including C#, Java and Node.js - Platforms : SQL, MongoDB and Cassandra - Warning! - Costs can run up quickly - Azure SQL - is a managed service - Migration - can directly migrate sql server on prem to azure sql - Frictionless process, cost saving and lower total cost of ownership (TCO) - Built-in Machine learning - Optimization : suggestions on how to optimize and improve performance of Azure SQL instances - Warnings : You will get warnings of degrading instances, and if anythong out of ordinary is happening - Cloud Benefits - Scalability - Space - Security - SQL Database vs. SQL Managed Instances  - Azure Database for MySQL - MySQL Features - Open source - Relational Database - Mature and Stable - Azure Advantages - PaaS - Development Focus - Choice of Language (PHP and WordPress) - High Availability - Azure Security Features - Cloud Capabilities - MySQL Use Cases - WebApp - E-commerce Moveile Apps - Digital Marketing - Finance Management - Gaming - Azure Database for PostgreSQL - Features - Extensions (JSONB, geospatial functions) - Horizontal scaling (use very high performant access to distributed data sets) - Performance Recommendations - Fully Managed - Use Case - Financial Applications - Governmetn (geometric data(GIS)) - Manufacturing (automatic failover) - Database Migration Services 8. Authentication and Authorization - Identity Service - Authentication : Making sure you are you, confirming identity, first test for access - Authorization : comes after authentication, Do you get access ?, granular control - Access Management - Authentication vs. authorization - Keep up the bad guys - Azure AD (AAD) - AD was designed for traditional office use with computers and printers - the web as a concept or service was not part of the design for Active Directory. - AD authentication uses services that aren't available on Azure - Disclaimer - not the same product as Active Directory - AAD service - You can't have an Azure account without and AAD service - Every Azure account needs a first user and this user is in the inital AAD instance - Tenant - Organization - tenant is a dedicated instance of AAD that an organization receives when signing up for Azure (Dedicated AAD) - Separate : each tenant is distinct and completely separate from other AAD tenants - Max 500 tenants : each user in Azure can be a member or guest of up to 500 Azure AD tenants - Subscription - Billing Entity : All resources within a subscription are billed together - Cost separation : you can have multiple subscriptions within a tenant to separate costs - Payment : if a subscription isn't paid, all the resources and services associated with the subscription stop - Hybrid Cloud architecture - AAD help to manage hybrid cloud architecture - MFA (Multi Factor Authentication) - Single Sign-On (SSO) - Enable SSO in AAD - seamlesly use all applications without logging in - Single username and password 9. Azure Solution - Internet of Things(IoT) - IoT Hub - managed and secure - Ease of Deployment - Platform-as-a-Service - Scaling and Authentication - IoT Cental - SaaS - No coding needed : receive feeds from devices and focus on metrics and business value - Pre-made connectors - Solutions - IoT Hub : PaaS solution that provides more control over the IoT data collection and processing - IoT Central : SaaS solution that provides pre-made IoT connections and dashboards to get set up quickly - Azure Sphere - All in one solution for IoT devices on Azure - Specific Hardware : you can only use hardware and chipsets certified by Microsoft for use on Azure - Security : Specialized security service that manages maintenance, updates, and general control - Operating System : custom made for Azure Sphere devices. Connects to the Sphere Security Service - Big Data - Data Lake Analytics - Large Amount of data - Parallel Processing - Ready to Go - HDInsights - Similar to Azure Data lake Analytics - Open source - Include Apache Hadoop, Spark and Kafka - Azure Databricks - Based on Apache Spark, a distributed cluster-computing framework - Run and procwss dataset on many computer simultaneously - Databricks provides all the computing power - Integrates with other Azure Storage services - Azure Synapse Analytics - Azure's data warehouse offering - Used for reporting and data analysis - Only limited to your scope - Use Synapse SQL language to manipulate data - Outcomes - Speed - Cost Reduction - Better Decision Making - New products and services - Machine Learning - Machine Learning/AI - Models - Knowledge Mining : Use Azure Search to finding existing insights in our data like file relationships, geofraphy connections and more - Built-in Apps : Azure has a number of built-in apps that you can use for machine learning - Azure Bot Service - PaaS offering to let you build bots for Q&A services - Azure Cognitive Service - Vision - Decision - Speech - Azure Machine Learning Studio - Supports all Azure Machine Learning tools - pre-made modules for your project - use for real-worl scenarios - Machine learning service - End-to-End Service - Tooling - Automation - Serverless - Azure Functions - the first "serverless" service on Azure - singel task is performed every time once for each invocations - basic compute unit - Logic Apps - Connect Systems - Automation - Quick Start - Use case  - Event Grid (EventBrigde AWS) - Routing Service : routing service for sending and receiving events between applications - Serverless - Ease of Use - DevOps - DevOps is the work between development and production  - Azure DevTest Labs - Environment Management : allow devs and engineers to create environment for test and deployment - Cost Management - Templates : reuse environment - Github and GithHub Actions - Gitub - Github is acquired in 2018 by Microsoft - Github Actions - Very similar to Azure Pipelines - Works with almost any platform, such as AWS, GCP and more 10. Security - Defense in Depth - Azure Layer -  - Securing Network Connectivity - Azure Firewall - Rules : firewall defines rules for what kind of traffic can and cannot access - Variations : Firewalls comes as hardware and software versions - Critical part : any network that take security serious will have a firewall - DDoS Protection Service - Network Security Group - Resource Firewall : attach to virtual network, subnet or network interface - Rules : a NSG determines who can access the resources attached to it, using inbound and outbound rules - Application Security Group - Protects Application Infrastucture : focus the security on the application rather than the IP endpoitn - Natural Extension : Group VMs and virtual networks into logical application groups and apply an application security group - Azure Security Center - Overview: - Threat Alerts - Ready for Hybrid architecrues - each vm has an agent installed that sends data - Azure analyzes the data and alerts you if necessary - Highlights - Policy and compliance metrics - A "secure score" to entice great security hygiene - Integrate with other cloud providers - Alerts for resources that aren't secure - Using Security Center - Define Policies : set up policies for azure to monitor resources from. A policy is a set of rules used to evaluate a resource - Protect Resources : Actively protect your resources through monitoring your policies and their outcomes - Response : Respond to any security alerts. Investigate all of them and then go bakc to step 1 to define new plicies to account for alert. - Regulatory Compliance - Resource Security Hygiene - Azure Key Vault - Overview - Secure Hardware : not even microsoft can access the keys in it - Application Isolation : application can't pass on secrets, nor access another application's secrets - Global Scaling : scale globally like any other managed Azure service - Azure Information Protection - secure documents, email and data outside of the company network - Classify Data according to how sensitive it is either using policies or manually - track what is happening with shared data and revoke access if needed - Safely share data s you can control who edits, views, prints and forwards it - Controls for document access is integrated with common applications and tools such as Microsoft Office - Microsoft Defender for Identity - monitor users : analyze user activity and information. This includes any permissions and memberships of groups - baseline behavior : record what a user's normal behaior and routine is. Any acitivity outside this routine will be logged as suspicious - Suggest changes : microsoft defender for identity will suggest chnges to conform with security best practices in order to treduce risks - Cyber-Attack kill Chain - Rconnaissance : If a user is searching for information about other users, device IP addresses nd more, microsoft Defender for Identity will raise alerts - Brute Force : Any attempst to guess user crdentials will be identified and flagged - Increasing Privileges : Any attempt by a suser to gain more privileges will be flagged. This could be through another user's login - Azure Sentinel (Cloudwatch in AWS) - Sentinel is security information and event management(SIEM) tool  - Benefits and Features  - Azure Dedicated Host - Overview - Hardware Control : you get control of an entire physical server on Azure - Yours and Yours Alone : physical layer isolation means you won't get any "foreign" VMs on your dedicated host - Maintenance : reduce impact on your system by choosing when to install updates to your dedicated host - Cloud Benefits - Compliance - Global Infrastructure - OS of your choice - Advanced Threat Protection - You secure and manage users of your organization. Monitor users' behavior, create a baselineof this behavior and report on any anomalies from it. 11. Privacy, Compliance and Trust - Governance - Azure Policy - Governance validates that your organization can achieve its goals through effective and efficient use of IT - Role-Based Access Control (RBAC) - Define User Access - Minimum Access - Target Specific Use Cases - RBAC - Role Assignment -  - Locks - can be assign a lock to a subscription, resource group or resource - A lock can be of two types. Delete, where you can't delete the locked object. Read-Only, where you can't make any changes to the object - Lock needs to be removed before the locked actions can be performed again - Azure Blueprints -  - Cloud Adoption Framework - Collection of Documents : lots of resources to guide you through the cloud adoption process - Guidance : help to define strategies for adoption. planning the move, "being ready" for the cloud, adoption reasons, governance practices, and managing a living, breathing cloud architecture - Governance : key to the cloud adoption process is governance of the process. The Cloud Adoption Framework is a big step in that process  - Azure Advisor for Security Assistance - is part of the Security Center - Azure Monitor - Telemetry Central - Overview - Constant Feed - Fully Managed - Query Language - Machine Learning - Outcomes - Maximize Performance - Maximize Availability - Identify Issues - Azure Service Health - Health Dashboard : notifies you about any planned and unplanned incidents on Azure platform - Overview - personalized dashboard - custom alerts - real-time tracking - free service - Compliance - Industry Reuglations  - Azure Compliance Manager - Benefits: - Recommendations : get recommendations for ensuring compliance with SDPR, ISO, NIST and others - Task : assign compliance tasks to team members and track progress - Compliance Score - Secure Storage to upload documents to prove compliance - Reports for auditors - Azure Government Cloud - Dedicated Regoins - If you are a US government body or contract for one, you can get access to dedicated seperate datacenters - Exclusivity : guaranteed only screened personnel from US federal, state and local government have access - Compliance : ensure compliance with required US government agencies, and level 5 Deparment of Defense approval - Azure Benefits - China Region - Located in China - Data is Kept in China - Compliant - Compliance is not negotiable - GDPR, ISO and NIST are regulations and standards to ensure compliacne with applicable legislation - Privacy - Azure Privacy - Azure information protection : classify, label and protect data based on data sensitivity - Azure Policy - Guide : use guides on Azure to respond and comply with GDPR privacy requests - Compliance Manager - Microsoft Privacy Statement - Trust - Trust Center & Service Trust Portal - Trust Center : a hub for more information about trust in each product and service - Service Trust Portal : review all the independent reports and audits performed on Microsoft's products and services 12. Pricing - Subscriptions - Billing and Pricing - Subscriptions - Multiple subscriptions : any azure account can have multiple subscriptions. Useful for organizing who pays for what - Billing admin : one or more users can be a "billing admin", which manages anything to do with billing and invoicing on Azure. Ensures separation of responsibility - Billing Cycle : billing cycle is either 30 or 60 days - Offer Types  - Management Groups  - Cost Management - Free Acounts - it is free - microsoft wants you to get a tast of Azure services - Always free for some services - Azure Cost Management - can be accessed from Azure Portal - get detailed spending reports and recommendations on how to save on costs and analyze them - Optimize your current resources to save money and monitor any amazon Web Services charges too - Spot VMs - also called deep discounts - save 90% cost - VM can be evicted at any time - Use with Azure scale sets - Set a max price for the Spot VM - Pricing Factor - Influences on Pricing - Resources Size - Resource Type - Location - Bandwidth - Zones and Bandwidth  - Pricing Calculator - Choose from all available Azure services - Select resource properties, such as VM - Monthly cost estimate - Export estimate for further analysis and use - Total cost of Ownership calculator - Estimate total savings over a period of time by using Azure - Comprehensive reports to share with stakeholders - Best Practices - Spending Limits - Default Limit - No Increase : when credits are gone, either remove the limit entirely or leave it in effect - No Spending Limit : Pay-as-you-go accounts have no spending limit functionality - Quotas -  - Tags - Indentify Roles to protect sensitive data - Related Resources : to make bulk processing and updating easire, define which resources are related - Filter - Unambiguous : create a list for tags used that includes: description, tag name and potential values - Pay-as-you-go - the most expensive one - Reserved Instances - 1 or 3 years and save 70% off - Reserved Capacity - 1 or 3 year commitment - Azure SQL : save up to 80% - Cosmos DB : -||- 65% - Synapse Analytics : -||- 65% - Redis Cache : -||- 55% - can change regions, scale up or down, apply it to multiple subscriptions, and cancel at any time - Azure Hybrid Benefit - Use Existing licenses - Advisor - The advisor portal gives you best practices advice in general through recommendations 13. Supports - Plans - Overview  - Inclusions - All Supports Plans  - These are the inlcusions in the "Basic" plan support plan - Inclusions - Paid Plans  - Tickets - ticket is a supoprt enquiry - unique identifie and ticket is a single refrence to an issue - Submitting Ticket - Submit through ticket through the Azure Portal - choose one of four support ticket types - Fill in details about issue - Request is processed according to support plan - Channels - Support Channels - Azure Documentation - Forums - Social Media : direct support from Azure and the teams behind each service - Knowledge Center - Common Questions - Knowledge Center - No new Questions - Search - Complements Other Channels : use the other support channels as not all answers are in the knowledge center - Service Level Agreement (SLA) - Properties  - Service Lifecycle - Gathering Customer Data - Customers can provide valuable feedback - Stages - Preview - Private : only available to specific customers invited by the product team behind the service - Public : available to all Azure customers. Enable preview features in the Azure Portal - Genral Availability : Available to all Azure customers as a norma service, including SLA. Services become generally available when they are ready. Can be a gradual rollout to some regions first - Azure Updates - Watch for previews, new features and updates