AZ-900

Azure Fundamentals

1
Getting Started

Azure has 200+ services. Exam expects you to understand 40+ services.
Exam tests your decision making abilities:
Which service do you choose in which situation?
This course is designed to help you make these choices
Our Goal : Help you get certified and start your cloud journey with Azure

2
How do you put your best foot forward?
Challenging certification - Expects
you to understand and REMEMBER a
number of services
As time passes, humans forget things.
How do you improve your chances of
remembering things?
Active learning - think and take notes
Review the presentation every once in a
while

3
Our Approach
Three-pronged approach to reinforce
concepts:
Presentations (Video)
Demos (Video)
Two kinds of quizzes:
Text quizzes
Video quizzes
(Recommended) Take your time. Do
not hesitate to replay videos!
(Recommended) Have Fun!

4
Getting Started - Azure

5
Before the Cloud - Example 1 - Online Shopping App

Challenge:
Peak usage during holidays and weekends
Less load during rest of the time
Solution (before the Cloud):
Procure (Buy) infrastructure for peak load
What would the infrastructure be doing during periods of low loads?

6
Before the Cloud - Example 2 - Startup

Challenge:
It suddenly becomes popular.
How to handle the sudden increase in load?
Solution (before the Cloud):
Procure (Buy) infrastructure assuming they would be successful
What if they are not successful?

7
Before the Cloud - Challenges

High cost of procuring infrastructure

Needs ahead of time planning (Can you guess the future?)
Low infrastructure utilization (PEAK LOAD provisioning)
Dedicated infrastructure maintenance team (Can a startup afford it?)

8
Silver Lining in the Cloud
How about provisioning (renting) resources when you want
them and releasing them back when you do not need them?
On-demand resource provisioning
Also called Elasticity

9
Cloud - Advantages
Trade "capital expense" for "variable expense"
Benefit from massive economies of scale
Stop guessing capacity
Stop spending money running and maintaining data centers
"Go global" in minutes

10
Microsoft Azure
One of the leading cloud service providers
Provides 200+ services
Reliable, secure and cost-effective
The entire course is all about Azure. You will learn it as we go
further.

11
Best path to learn Azure!

Cloud applications make use of multiple Azure services.

There is no single path to learn these services independently.
HOWEVER, we've worked out a simple path!

12
Setting up Azure Account
Create Azure Account

13
Regions and Zones

14
Data Center - What is it?
Thousands of servers: A typical enterprise has
thousands of servers running different applications
Need to be Managed: All these servers need to be
secured and managed
How about putting all servers together?
Data Center: A facility used to house an organization's IT
operations and equipment
Improved Security: Centralized security measures to
protect data and infrastructure
Efficiency: Streamlined management and
maintenance of IT resources

15
Regions and Zones

Imagine that your application is deployed in a data center in London

What would be the challenges?
Challenge 1 : Slow access for users from other parts of the world (high latency)
Challenge 2 : What if the data center crashes?
Your application goes down (low availability)

16
Multiple data centers

Let's add in one more data center in London

What would be the challenges?
Challenge 1 : Slow access for users from other parts of the world
Challenge 2 (SOLVED) : What if one data center crashes?
Your application is still available from the other data center
Challenge 3 : What if entire region of London is unavailable?
Your application goes down

17
Multiple regions

Let's add a new region : Mumbai

What would be the challenges?
Challenge 1 (PARTLY SOLVED) : Slow access for users from other parts of the world
You can solve this by adding deployments for your applications in other regions
Challenge 2 (SOLVED) : What if one data center crashes?
Your application is still live from the other data centers
Challenge 3 (SOLVED) : What if entire region of London is unavailable?
Your application is served from Mumbai

18
Regions
Imagine setting up data centers in
different regions around the world
Would that be easy?
(Solution) Azure provides 60+ regions
around the world
Expanding every year
Region : Specific geographical
location to host your resources
Advantages:
High Availability
Low Latency
Global Footprint
Adhere to government regulations

19
Availability Zones
How to achieve high availability in the same
region (or geographic location)?
Enter Availability Zones
Multiple AZs (3) in a region
One or more discrete data centers
Each AZ has independent & redundant power, networking &
connectivity
AZs in a region are connected through low-latency links
(Advantage) Increased availability and fault
tolerance within same region
Survive the failure of a complete data center
(Remember) NOT all Azure regions have
Availability Zones

20
Regions and Availability Zones examples
New Regions and AZs are constantly added

Region Availability Zones

(US) East US 3
(Europe) West Europe 3
(Asia Pacific) Southeast Asia 3
(South America) Brazil South 3
(US) West Central US 0

21
Azure Virtual Machines

22
Virtualization - What is it?
Physical Server: CPU(s) + Memory + Storage
Early Days: One Application on One Physical Server
Underutilized Resources: Inefficiency and higher costs
Virtualization: Use Software (Hypervisor) to run multiple
Virtual Machines (VMs) on a single physical server
Result: Improved resource utilization by sharing hardware resources
Flexibility: Easily create, modify, and move VMs to meet changing
demands
Virtualization and Cloud Computing: Foundation of cloud
services like AWS, Azure, and Google Cloud

23
Azure Virtual Machines
In corporate data centers, applications are deployed to
physical servers
Where do you deploy applications in the cloud?
Rent virtual servers
Virtual Machines - Virtual servers in Azure
Azure Virtual Machines - Provision & Manage Virtual Machines

24
Azure Virtual Machines - Features
Create and manage lifecycle of Virtual Machine (VM) instances
Load balancing and auto scaling for multiple VM instances
Attach storage to your VM instances
Manage network connectivity and configuration for your VM
instances
Our Goal:
Setup VM instances as HTTP (Web) Server
Distribute load with Load Balancers

25
Azure Virtual Machines Hands-on
Let's create a few VM instances and play with them
Let's SSH into VM instances and install web server!

26
Azure Virtual Machines - Key Concepts
Feature Explanation
Image Choose Operating System and Software
VM Family Choose the right family of hardware (General purpose or Compute/Storage/Memory
optimized or GPU or HPC)
VM Size (B1s, B2s, Choose the right quantity of hardware (2 vCPUs, 4GB of memory)
...)
Disks Attach Virtual Disks to VMs (Block Storage)

27
Useful Commands
#!/bin/sh
sudo su
apt-get -y update
apt-get -y install nginx
echo "Getting started with Azure Virtual Machines" > /var/www/html/index.html
echo "Welcome to in28minutes $(whoami)" > /var/www/html/index.html
echo "Welcome to in28minutes $(hostname)" > /var/www/html/index.html

Commands:
sudo su - execute commands as a root user
apt-get -y update - Update package index - pull the latest changes from the
repositories
apt-get -y install nginx - Install and start nginx web server
echo "Hello World" > /var/www/html/index.html - Write to index.html
$(hostname) - Get host name
$(hostname -I) - Get host internal IP address

28
Availability
Are the applications available when the users need them?
Percentage of time an application provides the operations expected of it
Example: 99.99% availability. Also called four 9's availability
Availability Table
Availability Downtime (in a month) Comment
99.95% 22 minutes
99.99% (four 9's) 4 and 1/2 minutes Most online apps aim for 99.99% (four 9's)
99.999% (five 9's) 26 seconds Achieving 5 9's availability is tough

29
Increasing Availability for Azure VMs
Single Instance VM:
Premium SSD or Ultra Disk: 99.9%
Standard SSD Managed Disks: 99.5%
Standard HDD Managed Disks: 95%
Two or more instances in same Availability Set: 99.95%
Availability set is a logical grouping of VMs
Fault domains: Group of VMs sharing a common power source and network switch
Update domains: Group of VMs that are rebooted (updated) at the same time
Two or more instances in two or more Availability Zones in the
same Azure region: 99.99%
Summary: Create multiple instances in multiple AZs if you
want high availability

30
Virtual Machine Scale Sets
How do you simplify creation and management of multiple
VMs?
Enter Virtual machine scale sets
Allow you to create and manage a group of Azure VMs
Provides high availability to your applications
(Optional) Add a load balancer
(Optional) Distribute VM instances across Multiple AZs (where
available)
Supports Manual Scaling and Auto Scaling
Supports up to 1,000 VM instances
DEMO TIME

31
Azure Virtual Machines - More Features
Feature Explanation
Static IP Address Assign a fixed IP address to your VM
Public IP addresses are charged per IP per
hour
Azure Monitoring Monitoring for your Azure VMs
Dedicated Hosts Physical servers dedicated to one customer
Create cheaper, temporary instances for non critical Azure Spot instances
workloads
Reserve compute instances ahead of time Reserved VM Instances (1 or 3 years)

32
Designing Good Solutions with VMs
Terminology Description Azure VMs
Availability Are apps available when your users need them? Availability Sets and Scale Sets
Scalability Can we handle a growth in users, traffic, or VM Size, Scale Sets and Load
data size without any drop in performance? Balancers
Resilience Ability of system to provide acceptable behavior even Scale Sets and Load Balancers
when one or more parts of the system fail
Geo- Distribute applications across regions and zones Scale Sets and Load Balancers
distribution
Disaster How to keep your systems running in face of disasters? Site Recovery
Recovery
Managing You want to keep costs low Auto Scaling (Elasticity),
Costs Reservations, Spot Instances
Security Secure your VMs Dedicated Hosts(More to come...)

33
Vertical Scaling

Deploying application/database to bigger instance:

A larger hard drive
A faster CPU
More RAM, CPU, I/O, or networking capabilities
In Azure: We can increase VM size
There are limits to vertical scaling

34
Horizontal Scaling

Deploying multiple instances of application/database

(Typically but not always) Horizontal Scaling is preferred to Vertical Scaling:
Vertical scaling has limits
Vertical scaling can be expensive
Horizontal scaling increases availability
(BUT) Horizontal Scaling needs additional infrastructure:
Scaling Sets, Load Balancers etc.

35
Azure Virtual Machines - Scenarios
Scenario Solution
How can you automatically scale up and scale down VM Scale Sets
VMs?
How can you protect VMs from datacenter failures? Deploy them to multiple AZs (Scale Sets)
How much availability do you get by deploying two 99.99%
or more VM instances in two or more AZs in same
region?
How can you do disaster recovery for your VMs? Site Recovery
How can you reduce costs for your VMs? AutoScaling(Elasticity), Reserved & Spot Instances,
Right Region - Cost varies from region to region
Will you be billed if you stop a VM? Yes. For Storage.
Will two VMs of same size always cost the same? No. Price changes with time. Price also is different in
different regions.
How can you know who performed a specific action Activity Logs (kept for 90 days)
on a VM?
36
Managed Services

37
Managed Services
Do you want to continue running applications in the cloud,
the same way you run them in your data center?
OR are there OTHER approaches?
You should understand some terminology used with cloud
services:
IaaS (Infrastructure as a Service)
PaaS (Platform as a Service)
SaaS (Software as a Service)
Serverless
Let's get on a quick journey to understand these!

38
IAAS (Infrastructure as a Service)
Use only infrastructure from cloud provider
Example: Using VM to deploy your applications or
databases
You are responsible for:
Application Code and Runtime
Configuring load balancing
Auto scaling
OS upgrades and patches
Availability
etc.. ( and a lot of things!)

39
PAAS (Platform as a Service)
Use a platform provided by cloud
Cloud provider is responsible for:
OS (incl. upgrades and patches)
Application Runtime
Auto scaling, Availability & Load balancing etc..
You are responsible for:
Configuration (of Application and Services)
Application code (if needed)
Examples:
Azure App Service
Databases - Relational & NoSQL (Amazon RDS, Google Cloud
SQL, Azure SQL Database etc)
Queues, AI, ML, Operations etc!

40
Azure App Service
Fully managed platform for building, deploying and
scaling your web apps
Also supports REST APIs, and mobile back ends
Natively supports .NET, .NET Core, Node.js, Java,
Python and PHP
Choose App Service plan: defines a set of compute
resources for a web app
Features:
Automated Deployment and management
Auto Scaling
Built in Load Balancing

41
Microservices

Enterprises are heading towards microservices architectures

Build small focused microservices
Flexibility to innovate and build applications in different programming languages (Go, Java,
Python, JavaScript, etc)
BUT deployments become complex!
How can we have one way of deploying Go, Java, Python or JavaScript ..
microservices?
Enter containers!

42
Containers - Docker
Create Docker images for each microservice
Docker image has all needs of a microservice:
Application Runtime (JDK or Python or NodeJS)
Application code and Dependencies
VMs virtualize Hardware while containers virtualize OS
Runs the same way on any infrastructure:
Your local machine
Corporate data center
Cloud
Advantages
Docker containers are light weight
Compared to Virtual Machines as they do not have a Guest OS
Docker provides isolation for containers
Docker is cloud neutral

43
Azure Container Instances
Manage and run simple container based applications
You DO NOT need to provision and manage VMs
Start containers in seconds
Azure App Service also supports deploying simple containers

44
Container Orchestration
Requirement : I want 10 instances of
Microservice A container, 15 instances
of Microservice B container and ....
Typical Features:
Auto Scaling - Scale containers based on
demand
Service Discovery - Help microservices find
one another
Load Balancer - Distribute load among
multiple instances of a microservice
Self Healing - Do health checks and replace
failing instances
Zero Downtime Deployments - Release new
versions without downtime

45
Container Orchestration - AKS and Service Fabric
Using a Container Orchestrator:
1: Create a Cluster
2: Deploy & Orchestrate Microservices
Azure Services:
Azure Kubernetes Service: Managed
Kubernetes Service
Azure Service Fabric: Microsoft's container
orchestrator

46
Serverless
What do we think about when we develop an application?
Where to deploy? What kind of server? What OS?
How do we take care of scaling and availability of the application?
What if you don't need to worry about servers and focus on your code?
Enter Serverless
Remember: Serverless does NOT mean "No Servers"
Serverless for me:
You don't worry about infrastructure (ZERO visibility into infrastructure)
Flexible scaling and automated high availability
Most Important: Pay for use
Ideally ZERO REQUESTS => ZERO COST
You focus on code and the cloud managed service takes care of all that is
needed to scale your code to serve millions of requests!
And you pay for requests and NOT servers!

47
Azure Functions

You don't worry about servers or scaling or availability

You only worry about your code
You pay for what you use
Number of requests
Duration of requests
Memory consumed
Supports C#, Python, JavaScript, Typescript and Java

48
SaaS (Software as a Service)
Centrally hosted software (mostly on the cloud)
Offered on a subscription basis (pay-as-you-go)
Examples:
Email, calendaring & office tools (such as Outlook 365, Microsoft Office 365, Gmail, Google Docs)
Customer relationship management (CRM), enterprise resource planning (ERP) and document
management tools
Cloud provider is responsible for:
OS (incl. upgrades and patches)
Application Runtime
Auto scaling, Availability & Load balancing etc..
Application code and/or
Application Configuration (How much memory? How many instances? ..)
Customer is responsible for:
Configuring the software!

49
50
Azure Cloud Service Categories - Scenarios
Scenario Solution
IaaS or PaaS or SaaS: Deploy Custom Application in Virtual Machines IaaS
IaaS or PaaS or SaaS: Using Gmail SaaS
IaaS or PaaS or SaaS: Using Azure App Service to deploy your app PaaS
True or False: Customer is responsible for OS updates when using PaaS False
True or False: Customer is responsible for Availability when using PaaS False
True or False: In PaaS, customer has access to VM instances False
True or False: In PaaS, customer can customize OS and install custom software False
True or False: In PaaS, customer can configure auto scaling needs True
True or False: In PaaS, customer can configure hardware needs (memory, cpu etc) True
True or False: PaaS services only offer Compute services False

51
Review - Azure Services for Compute
Azure Service Name Description
Azure VMs Windows or Linux VMs (IaaS)
Use VMs when you need control over OS OR you want to run custom software
You handle Availability, Scalability, Load Balancing, Software/OS Updates ...
Azure App Service PaaS. Deploy web apps, mobile back ends and RESTful APIs quickly.
Built-in Auto Scaling, Load Balancing
Azure Container Instances PaaS (CaaS). Run isolated containers, without orchestration.
You DO NOT need to provision and manage VMs. Start containers in seconds.
Azure Kubernetes Service PaaS (CaaS). Managed Kubernetes Service. Provides container orchestration.
Azure Service Fabric PaaS (CaaS). Microsoft's container orchestrator.
Package, deploy, and manage scalable and reliable microservices
Run anywhere - on premises and in the cloud
Azure Functions Serverless (FaaS) compute for event-driven apps

52
Azure Compute Services - Scenarios
Scenario Solution
You want to run function in response to events Azure Functions
You want to deploy a Python application using a Managed Service Azure App Service
You want to quickly deploy a container Azure Container Instances
You want to setup a complex microservices architecture in Azure AKS or Service Fabric
Your application needs customized OS and custom Software installed Azure VMs

53
Storage

54
Storage Types - Block, File, Object, ......

What is the type of storage of your hard disk?

Block Storage
You've created a file share to share a set of files with your colleagues in a
enterprise. What type of storage are you using?
File Storage
You want to be able to upload/download objects using a REST API without
mounting them onto your VM. What type of storage are you using?
Object Storage

55
Azure Storage
Managed Cloud Storage Solution
Highly available, durable and massively scalable (upto few PetaBytes)
Core Storage Services:
Azure Disks: Block storage (hard disks) for Azure VMs
Azure Files: File shares for cloud and on-premises
Azure Blobs: Object store for text and binary data
Azure Queues: Decouple applications using messaging
Azure Tables: NoSQL store (Very Basic)
Prefer Azure Cosmos DB for NoSQL
(PRE-REQUISITE) Storage Account is needed for Azure Files,
Azure Blobs, Azure Queues and Azure Tables

56
Azure Storage - Data Redundancy
Option Redundancy Discussion
Locally redundant Three synchronous copies in same data center Least expensive and least
storage (LRS) availability
Zone-redundant storage Three synchronous copies in three AZs in the
(ZRS) primary region
Geo-redundant storage LRS + Asynchronous copy to secondary region
(GRS) (three more copies using LRS)
Geo-zone-redundant ZRS + Asynchronous copy to secondary region Most expensive and highest
storage (GZRS) (three more copies using LRS) availability

57
Exploring Read-access storage redundancy options
Geo-redundant storage (GRS or GZRS): Replicates data to
secondary regions
HOWEVER allows read/write access only after a failover
Read-access storage redundancy: What if you need read
access to data all the time from the secondary regions?
Two Options:
RA-GRS: Read-access geo-redundant storage
RA-GZRS: Read-access geo-zone-redundant storage
Example URL Patterns
Primary:myaccount.blob.core.windows.net
Secondary:myaccount-secondary.blob.core.windows.net

58
Region pairs
Data copies across regions => high availability + high durability
Azure makes it easy to distribute data across regions (while retaining
data in same geography) through Region Pairs
Examples: Central India & South India, East US & West US, North Europe (Ireland) &
West Europe (Netherlands), ..
Azure Storage Example: If you use Geo-redundant storage (GRS) and choose region
as East US
3 copies stored in East US and 3 copies in the corresponding paired region - West US
Access data from primary region (East US)
Option to failover to secondary region (West US) if primary region is NOT available
Region pairs have very fast data connection
Azure tries to ensure that both regions (in a region pair) do NOT have
problems at the same time
For Example: Software updates are done one region at a time

59
Premium Storage Account: For High Performance
Standard General-Purpose Storage Accounts: Recommended
for most scenarios!
What we have looked at until now!
High Performance: What if you need very high performance?
Premium Storage Account: Uses solid-state drives (SSDs) for low latency
and high throughput
Constraint: Fewer Redundancy options (LRS, ZRS)
Supported Premium Account Types:
Premium block blobs - Blob Storage, Data Lake Storage
Premium file shares: Supporting both SMB and NFS file shares
Premium page blobs

60
Block Storage
Use case: Hard-disks attached to your
computers
Typically, ONE Block Storage device can be
connected to ONE virtual server
HOWEVER, you can connect multiple different
block storage devices to one virtual server

61
Azure Disks Storage
Disk storage: Disks for Azure VMs
Types:
Standard HDD: Recommended for Backup, non-critical, infrequent access
Standard SSD: Recommended for Web servers, lightly used enterprise applications and
dev/test environments
Premium SSD disks: Recommended for production and performance sensitive workloads
Ultra disks (SSD): Recommended for IO-intensive workloads such as SAP HANA, top tier
databases (for example, SQL, Oracle), and other transaction-heavy workloads
Premium and Ultra provide very high availability
Managed vs Unmanaged Disks:
Managed Disks are easy to use:
Azure handles storage
High fault tolerance and availability
Unmanaged Disks are old and tricky (Avoid them if you can)
You need to manage storage and storage account
Disks stored in Containers (NOT Docker containers. Completely unrelated.)

62
Azure Files
Media workflows need huge shared
storage for things like video editing
Enterprise users need a quick way to
share files in a secure & organized way
Azure Files:
Managed File Shares
Connect from multiple devices concurrently:
From cloud or on-premises
From different OS: Windows, Linux, and macOS
Supports Server Message Block (SMB) and
Network File System (NFS) protocols
Usecase: Shared files between multiple VMs
(example: configuration files)

63
Azure File Sync
Windows file server: Create file shares on-premises
Azure Files: Create file shares on Azure
Storing files in Azure Files is cheaper & easier to manage BUT
Windows file server provides flexible connectivity options to
on-premise apps and users
How about having same connectivity to file shares for on-premises apps
and resources while storing them in Azure Files?
Azure File Sync: File shares created in Azure Files. AND Retain
flexibility and compatibility of Windows file server.
Option: Keep cache of frequently accessed files or have a full local copy
Supports multiple protocols: SMB, NFS, and FTPS
Advantages: Cheaper, easier to manage and can be used as cloud-side
backup (Business continuity and disaster recovery)

64
Azure Blob Storage
Azure Blob Storage: Object storage in Azure
Structure: Storage Account > Container(s) > Blob(s)
Store massive volumes of unstructured data
Store all file types - text, binary, backup & archives:
Media files and archives, Application packages and logs
Backups of your databases or storage devices
Three Types of Blobs
Block Blobs: Store text or binary files (videos, archives etc)
Append Blobs: Store log files (Ideal for append operations)
Page Blobs: Foundation for Azure IaaS Disks (512-byte pages up to 8 TB)
Azure Data Lake Storage Gen2: Azure Blob Storage Enhanced
Designed for enterprise big data analytics (exabytes, hierarchical)
Low-cost, tiered storage, with high availability/disaster recovery

65
Azure Blob Storage - Access Tiers
Different kinds of data can be stored in Blob Storage
Media files, website static content
Backups of your databases or storage devices
Long term archives
Huge variations: In access patterns
Access tiers: Can I pay a cheaper price for objects I access less
frequently?
Hot: Store frequently accessed data
Cool: Infrequently accessed data stored for min. 30 days
Cold: Infrequently accessed data stored for min. 90 days
Archive: Rarely accessed data stored for min. 180 days

66
Azure Blob Storage - Access Tiers - 2
Complete Flexibility: Change the access tiers of an object at
any time to optimize cost and performance
Blob Level Configuration: Access tiers can be set at the blob
level, during or after upload
Storage Account Default Access Tier: Can be Hot or Cool
(REMEMBER) The cold and archive access tiers aren't available as options
for this setting
Archive Tier: Lowest storage cost BUT Highest access cost
Access latency: In hours
To access: Rehydrate (Change access tier) OR
Copy to another blob with a changed access tier

67
Azure Queues and Tables
Azure Queues: Decouple applications using messaging
Azure Tables: NoSQL store (Very Basic)
Prefer Azure Cosmos DB for NoSQL

68
Azure Storage Explorer
Azure Storage Explorer: Manage Azure storage resources from
desktop
Free tool: Supported on Windows, macOS, and Linux
Integrates with:
Azure Storage blobs, files, queues, and tables
Azure Data Lake Storage
Azure managed disks
Features: Upload, download files, manage permissions, ..
Extensions available: Data Factory extn - move data from AWS S3 to Azure Storage
Very similar to Storage Explorer and Storage Browser on Azure Portal
(Alternative) AzCopy: Command-line utility
Copy files from local machine or other cloud storage to Azure Storage
(REMEMBER) Azure Storage Explorer uses AzCopy in the background
Use Azure Storage Explorer if you prefer a GUI
Use AzCopy if you like command line or you want to automate

69
Exploring Globally Unique Names in Azure
Do you know? Storage account names are used as part of the URLs
Blob Storage - https://<account-name>.blob.core.windows.net
Data Lake Storage Gen2 - https://<account-
name>.dfs.core.windows.net
Azure Files - https://<account-name>.file.core.windows.net
Unique in Azure: Storage account name must be unique within Azure
No two storage accounts can have the same name
Other Globally Unique Names:
Azure SQL Database server names
Azure Cosmos DB account names
Azure App Service app names

70
Azure Storage Services - Scenarios
Scenario Solution
You need persistent storage for virtual machine disks Azure Disks
You need to synchronize on-premises file shares with Azure, Azure File Sync
maintaining accessibility for on-premises applications
You need to store and analyze large-scale data for big data analytics Data Lake Storage
You need high-performance storage with low latency and high Premium Storage Account
throughput
You need to store data that is very rarely accessed but must be Archive Storage
retained for long periods. You want to keep costs as low as possible.
Can you change access tier of an object at any time? Yes. You can change access tiers of
an object at any point in time.
Is it possible to create multiple storage accounts with same name in No. Storage account names are
different resource groups? globally unique in Azure.

71
Database Fundamentals

72
Databases Primer
Databases provide organized and persistent storage for your
data
To choose between different database types, we would need
to understand:
Availability
Durability
RTO
RPO
Consistency
Transactions etc
Let's get started on a simple journey to understand these

73
Database - Getting Started
Imagine a database deployed in a data center in
London
Let's consider some challenges:
Challenge 1: Your database will go down if the data center
crashes or the server storage fails
Challenge 2: You will lose data if the database crashes

74
Database - Snapshots
Let's automate taking copy of the database
(take a snapshot) every hour to another data
center in London
Let's consider some challenges:
Challenge 1: Your database will go down if the data
center crashes
Challenge 2 (PARTIALLY SOLVED): You will lose data if
the database crashes
You can setup database from latest snapshot. But depending on
when failure occurs you can lose up to an hour of data
Challenge 3(NEW): Database will be slow when you
take snapshots

75
Database - Transaction Logs
Let's add transaction logs to database and
create a process to copy it over to the second
data center
Let's consider some challenges:
Challenge 1: Your database will go down if the data
center crashes
Challenge 2 (SOLVED): You will lose data if the
database crashes
You can setup database from latest snapshot and apply
transaction logs
Challenge 3: Database will be slow when you take
snapshots

76
Database - Add a Standby
Let's add a standby database in the
second data center with replication
Let's consider some challenges:
Challenge 1 (SOLVED): Your database will go
down if the data center crashes
You can switch to the standby database
Challenge 2 (SOLVED): You will lose data if
the database crashes
Challenge 3 (SOLVED): Database will be slow
when you take snapshots
Take snapshots from standby.
Applications connecting to master will get good
performance always

77
Availability and Durability
Availability
Will I be able to access my data now and when I need it?
Percentage of time an application provides the operations expected of it
Durability
Will my data be available after 10 or 100 or 1000 years?
Examples of measuring availability and durability:
4 9's - 99.99
11 9's - 99.999999999
Typically, an availability of four 9's is considered very good
Typically, a durability of eleven 9's is considered very good

78
Availability
Availability Downtime (in a month) Comment
99.95% 22 minutes
99.99% (4 9's) 4 and 1/2 minutes Typically online apps aim for 99.99% (4 9's) availability
99.999% (5 9's) 26 seconds Achieving 5 9's availability is tough

79
Durability
What does a durability of 11 9's
mean?
If you store one million files for ten million
years, you would expect to lose one file
Why should durability be high?
Because we hate losing data
Once we lose data, it is gone

80
Increasing Availability and Durability of Databases
Increasing Availability:
Have multiple standbys available OR
distribute the database
in multiple Zones
in multiple Regions
Increasing Durability:
Multiple copies of data (standbys,
snapshots, transaction logs and replicas)
in multiple Zones
in multiple Regions
Replicating data comes with its own
challenges!
We will talk about them a little later

81
Database Terminology : RTO and RPO
Imagine a financial transaction being lost
Imagine a trade being lost
Imagine a stock exchange going down for an hour
Typically businesses are fine with some downtime but they
hate losing data
Availability and Durability are technical measures
How do we measure how quickly we can recover from
failure?
RPO (Recovery Point Objective): Maximum acceptable period of data loss
RTO (Recovery Time Objective): Maximum acceptable downtime
Achieving minimum RTO and RPO is expensive
Trade-off based on the criticality of the data

82
Question - RTO and RPO
You are running an application in VM instance storing its data on a persistent
data storage. You are taking snapshots every 48 hours. If the VM instance
crashes, you can manually bring it back up in 45 minutes from the snapshot.
What is your RTO and RPO?
RTO - 45 minutes
RPO - 48 hours

83
Achieving RTO and RPO - Failover Examples
Scenario Solution
Very small data loss (RPO - 1 minute) Hot standby - Automatically synchronize data
Very small downtime (RTO - 5 minutes) Have a standby ready to pick up load
Use automatic failover from master to standby
Very small data loss (RPO - 1 minute) Warm standby - Automatically synchronize data
BUT I can tolerate some downtimes (RTO - 15 minutes) Have a standby with minimum infrastructure
Scale it up when a failure happens
Data is critical (RPO - 1 minute) but I can tolerate Create regular data snapshots and transaction
downtime of a few hours (RTO - few hours) logs
Create database from snapshots and transactions
logs when a failure happens
Data can be lost without a problem (for example: cached Failover to a completely new server
data)

84
(New Scenario) Reporting and Analytics Applications
New reporting and analytics applications are being
launched using the same database
These applications will ONLY read data
Within a few days you see that the database
performance is impacted
How can we fix the problem?
Vertically scale the database - increase CPU and memory
Create a database cluster (Distribute the database) - Typically
database clusters are expensive to setup
Create read replicas - Run read only applications against read
replicas

85
Consistency
How do you ensure that data in multiple database instances
(standbys and replicas) is updated simultaneously?
Strong consistency - Synchronous replication to all replicas
Will be slow if you have multiple replicas or standbys
Eventual consistency - Asynchronous replication. A little lag -
few seconds - before the change is available in all replicas
In the intermediate period, different replicas might return different values
Used when scalability is more important than data integrity
Examples : Social Media Posts - Facebook status messages, Twitter tweets,
Linked in posts etc
Read-after-Write consistency - Inserts are immediately
available
However, updates would have eventual consistency

86
Database Categories
There are several categories of databases:
Relational (OLTP and OLAP), Document, Key Value, Graph, In Memory among others
Choosing type of database for your use case is not easy. A few
factors:
Do you want a fixed schema?
Do you want flexibility in defining and changing your schema? (schemaless)
What level of transaction properties do you need? (atomicity and consistency)
What kind of latency do you want? (seconds, milliseconds or microseconds)
How many transactions do you expect? (hundreds or thousands or millions of
transactions per second)
How much data will be stored? (MBs or GBs or TBs or PBs)
and a lot more...

87
Relational Databases
This was the only option until a
decade back!
Most popular (or unpopular) type of
databases
Predefined schema with tables and
relationships
Very strong transactional capabilities
Used for
OLTP (Online Transaction Processing) use
cases and
OLAP (Online Analytics Processing) use
cases

88
Relational Database - OLTP (Online Transaction Processing)
Applications where large number of users make large
number of small transactions
small data reads, updates and deletes
Use cases:Most traditional applications - ERP, CRM, e-
commerce, banking
Popular databases:
MySQL, Oracle, SQL Server etc
Recommended Azure Managed Services:
Azure SQL Database: Managed Microsoft SQL Server
Azure Database for MySQL: Managed MySQL
Azure Database for PostgreSQL: Managed PostgreSQL

89
Azure SQL Database
Fully Managed Service for Microsoft SQL Server
99.99% availability
Built-in high availability, automatic updates and backups
Flexible and responsive serverless compute
Hyperscale (up to 100 TB) storage

90
Azure database for MySQL
Fully managed, scalable MySQL database
Supports 5.6, 5.7 and 8.0 community editions of MySQL
99.99% availability
Choose single zone or zone redundant high availability
Automatic updates and backups
Typically used as part of LAMP (Linux, Apache, MySQL,
PHP/Perl/Python) stack

91
Azure Database for PostgreSQL
Fully managed, intelligent and scalable PostgreSQL
99.99% availability
Choose single zone or zone redundant high availability
Automatic updates and backups
Single Server and Hyperscale Options
Hyperscale: Scale to hundreds of nodes and execute queries across
multiple nodes

92
Relational Database - OLAP (Online Analytics Processing)
Applications allowing users to analyze petabytes of data
Examples : Reporting applications, Data ware houses, Business
intelligence applications, Analytics systems
Sample application : Decide insurance premiums analyzing data from last
hundred years
Data is consolidated from multiple (transactional) databases
Recommended Azure Managed Service
Azure Synapse Analytics: Petabyte-scale distributed data ware house
Provides a unified experience for developing end-to-end analytics solutions - Data
integration + Enterprise data warehousing + Big data analytics
Enables MPP (massively parallel processing)
Run complex queries across petabytes of data
Earlier called Azure SQL Data Warehouse

93
Relational Databases - OLAP vs OLTP
OLAP and OLTP use similar data structures
BUT very different approach in how data is
stored
OLTP databases use row storage
Each table row is stored together
Efficient for processing small transactions
OLAP databases use columnar storage
Each table column is stored together
High compression - store petabytes of data efficiently
Distribute data - one table in multiple cluster nodes
Execute single query across multiple nodes -
Complex queries can be executed efficiently

94
NoSQL Databases
New approach (actually NOT so new!) to building your databases
NoSQL = not only SQL
Flexible schema
Structure data the way your application needs it
Let the schema evolve with time
Horizontally scale to petabytes of data with millions of TPS
NOT a 100% accurate generalization but a great starting point:
Typical NoSQL databases trade-off "Strong consistency and SQL features" to
achieve "scalability and high-performance"
Azure Managed Service:
Azure Cosmos DB

95
Azure Cosmos DB
Fully managed NoSQL database service
Global database: Automatically replicates data across multiple Azure
regions
Schemaless
Single-digit millisecond response times
99.999-percent availability
Automatic scaling (serverless)
Supports APIs for MongoDB (document), Cassandra (key/value) and
Gremlin (graph)

96
In-memory Databases
Retrieving data from memory is much faster than retrieving
data from disk
In-memory databases like Redis deliver microsecond latency
by storing persistent data in memory
Recommended Azure Managed Service
Azure Cache for Redis
Use cases : Caching, session management, gaming leader
boards, geospatial applications

97
Databases - Summary
Database Type Azure Services Description
Relational OLTP Azure SQL Database, Azure Transactional usecases needing predefined
databases Database for MySQL, Azure schema and very strong transactional
Database for PostgreSQL etc. capabilities (Row storage)
Relational OLAP Azure Synapse Analytics Columnar storage with predefined schema.
databases Datawarehousing & BigData workloads
NoSQL Databases Azure Cosmos DB Apps needing quickly evolving structure
(schema-less)
MongoDB (document), Cassandra (key/value)
and Gremlin (graph)
In memory Azure Cache for Redis Applications needing microsecond responses
databases/caches

98
Databases - Scenarios
Scenario Solution
A start up with quickly evolving schema (table Cosmos DB
structure)
Single-digit millisecond response times for global Cosmos DB
application with millions of users
Transactional local database processing thousands Azure SQL Database OR Azure Database for MySQL OR
of transactions per second Azure Database for PostgreSQL etc.
Cache data (from database) for a web application Azure Cache for Redis
Database for analytics processing of petabytes of Azure Synapse Analytics
data

99
Networking

100
Need for Virtual Network
In a corporate network or an on-premises data center:
Can anyone on the internet see the data exchange between the
application and the database?
No
Can anyone from internet directly connect to your database?
Typically NO.
You need to connect to your corporate network and then access your
applications or databases.
Corporate network provides a secure internal
network protecting your resources, data and
communication from external users
How do you do create your own private network in
the cloud?
Enter Azure Virtual Network

101
Azure Virtual Network
Your own isolated network in Azure
Network traffic within a Virtual Network is isolated (not visible) from all
other Azure Virtual Networks
Each Virtual Network is created in a Region
You control all the traffic coming in and going outside a
Virtual Network
(Best Practice) Create all your Azure resources (compute,
storage, databases etc) within a Virtual Network
Secure resources from unauthorized access AND
Enable secure communication between your cloud resources

102
Need for Subnets
Different resources are created on cloud
Databases, Compute (VMs) etc
Each type of resource has its own access needs
Load Balancers are accessible from internet (public resources)
Databases or VM instances should NOT be accessible from internet
ONLY applications within your virtual network should be able to access
them(private resources)
How do you separate public resources from private resources inside
a Virtual Network?
(Solution) Create different subnets for public and private resources
Resources in a public subnet CAN be accessed from internet
Resources in a private subnet CANNOT be accessed from internet
BUT resources in public subnet can talk to resources in private subnet
103
Things to Remember - Virtual Network
Every VM in a VNet is assigned a private IP address
You can assign a public IP address and make it static as well!
VMs in the same VNet can communicate using private IP
addresses
Even if they are in different subnets
Network peering can be use to connect resources in different
Virtual Networks
Peered Virtual Networks can be in different regions

104
Azure network security

105
Azure DDoS
(DDoS) attack: Large scale attacks to bring your apps down
Result: App goes down or become slow. Huge bill because of unlimited auto scaling.
Two Azure DDoS offerings:
DDoS Protection Basic: Protects against common network layer attacks
Intelligently identifies and blocks DDoS attacks
Enabled by default
No extra cost
DDoS Protection Standard:
Mitigates 60 different DDoS attack types
Provides attack analytics, metrics, alerting and reporting
Get quick support from DDoS Protection Rapid Response (DRR) team
Get a Cost guarantee ( Receive service credit if DDoS attack results in scale-out)
Enable it on the Azure virtual network
DDoS Protection Standard + Web Application Firewall = Powerful combination that protects at:
Network layer (Layer 3 and 4, Azure DDoS Protection Standard)
Application layer (Layer 7, WAF)

106
Azure Firewall
Managed network security service to control traffic in and out of a
Azure Virtual Network
Stateful: Once traffic in is allowed, traffic out is automatically allowed
Centralized Configuration: With one Azure firewall, you can control traffic to
multiple virtual networks (having hundreds of resources) across multiple
subscriptions
Example : If your enterprise has 10 virtual networks (across multiple subscriptions) with 100 VMs,
you can control traffic with one Azure Firewall
Integrates with Azure Monitor: Provides logging and analytics
(REMEMBER) Web application firewall (WAF)
Restrict traffic into web applications
OWASP etc
Supported by Azure Application Gateway, Azure Content Delivery Network

107
Network Security Groups (NSG)
Azure Firewall is an external firewall - outside your Virtual Network
Network Security Group (NSG) is like a internal firewall inside your Virtual Network
right before your resources
Multiple inbound and outbound security rules:
Allow or block traffic based on source/destination IP address, protocol and port
Restrict traffic between resources such as virtual machines and subnets
Attached with subnets and network interfaces
Usecases : Allow access to web server only on port 80 and port 443
(HTTP/HTTPS)
Restrict database access only to web servers. Do NOT allow direct access to
database from outside world/other servers.
Restrict outbound traffic from VMs to download software packages and system
updates

108
Azure Private Link and Private Endpoint
Let's consider a use case:
A web application is running on a VM deployed to a subnet in a VNet
Web application stores data in a SQL Database (An Azure Managed Service)
Need: All communication needs to be private (using private IP address)
SOLUTION: Setup private link and connect using private endpoint
Azure Private Link: Enables access to Azure PaaS Services (Azure
Storage, Azure Cosmos DB, Azure SQL Database, ..) from resources in
your VNet using private endpoints
All data that flows from a VM to SQL Database is isolated from the internet and stays
on the Microsoft back end

109
Bastion Host - What is it?
Bastion Host: A special-purpose server designed to provide
secure access to a private network from an external network
Secure Access: Acts as a gateway, allowing secure access to
internal resources
Monitoring: Often equipped with monitoring and logging to
track access and activity
Bastion Host in Major Cloud Platforms:
AWS: AWS Bastion Host
Azure: Azure Bastion
Google Cloud: Google Cloud IAP (Identity-Aware Proxy)

110
Azure Networking - Scenarios
Scenario Solution
You need to create a secure, isolated network in the cloud, similar to your Azure Virtual Network
corporate network
You want to connect resources in different Virtual Networks, potentially in Network Peering
different regions
You need protection against DDoS attacks for your applications Azure DDoS Protection (Basic
or Standard)
You want a managed network security service to control traffic across Azure Firewall
multiple virtual networks and subscriptions
You need to restrict traffic within your Virtual Network using internal Network Security Groups
firewalls (NSGs)
You need private access to Azure PaaS services from within your Virtual Azure Private Link and Private
Network Endpoint

111
Hybrid Cloud

112
Cloud Computing: Public vs Private vs Hybrid clouds
Cloud Computing
Public Cloud
You host everything in the cloud (You DO NOT need a data center anymore)
No Capital Expenditure required
Hardware resources are owned by Azure (Microsoft)
Hardware failures and security of the data center are managed by Azure (Microsoft)
Summary: Hardware owned by Azure and shared between multiple tenants
Tenants: Customers who rent infrastructure (You, Me and other enterprises)
Private Cloud
You host everything in your own data center
Needs Capital Expenditure
Incur staffing and maintenance expenses for infrastructure
Delivers higher level of security and privacy
Hybrid Cloud :
Combination of both (Public & Private)
Use Public Cloud for some workloads and Private cloud for others
Example: Connecting an on-premise app to Azure Cosmos DB
Provides you with flexibility: Go on-premises or cloud based on specific requirement

113
Hybrid Cloud: Connecting Azure with on-premises
Options: VPN and Azure ExpressRoute
Azure VPN: Encrypted connection from on-premises to Azure
over internet
Internet Based: Encrypted communication over Internet (public)
1: Point-to-site VPN: From a computer to Azure
2: Site-to-site VPN: From your on-premises VPN device or gateway to the
Azure VPN gateway in a virtual network
Needs VPN device or gateway on-premises
Need Azure VPN gateway in the Azure Virtual Network
Azure ExpressRoute: Private connectivity to Azure VNet
Does NOT use internet: Traffic does NOT go over internet
Provides very high bandwidth and very high security (private connection)
No encryption: Traffic is NOT encrypted by the connection

114
Azure Arc
Consider a use case:
Let's say I have Kubernetes deployments in multiple clouds and
on-premises
Managing these independently has a number of challenges
I want to manage these from a centralized location
Azure Specific Solution for Hybrid Cloud: Azure Arc
Manage multi cloud and on-premise infrastructure
from one place
Supports centralized management of: VMware
resources, Kubernetes clusters, SQL Server instances,
on-premise physical and virtual machines

115
VMWare - What is it?
VMWare: A leading provider of virtualization software
Virtualization: Allows multiple virtual machines (VMs) to run
on a single physical server
Key Features:
Hypervisor: Software that creates & manages VMs (e.g., VMware ESXi)
Resource Optimization: Efficiently uses hardware resources
Scalability: Easily create, modify, and scale VMs as needed
Isolation: Ensures each VM operates independently, without affecting
others
Cloud Support: VMWare solutions are supported in major cloud platforms,
enabling seamless migration to the cloud
AWS for VMware, Azure VMware Solution, Google Cloud VMware Engine

116
Hybrid Cloud - Scenarios
Scenario Solution
Type of cloud: You want to eliminate the need for a data center and use cloud Public Cloud
infrastructure
Type of cloud: You need dedicated infrastructure inside your data center Private Cloud
Type of cloud: You need to connect an on-premise application to Azure services like Hybrid Cloud
Cosmos DB
You need an encrypted connection from on-premises to Azure over the internet Site-to-site VPN
You need private, high-bandwidth connectivity to Azure without using the internet Azure
ExpressRoute
You have Kubernetes deployments across multiple clouds and on-premises and need Azure Arc
centralized management
You need centralized management for VMware resources, Kubernetes clusters, SQL Azure Arc
Server instances, and physical/virtual machines

117
Organizing and Managing
Azure Resources

118
Azure Resource Hierarchy
Hierarchy: Management Group(s) > Subscription (s) >
Resource Group (s) > Resources
Resources: VMs, Storage, Databases
Resource groups: Organize resources by grouping them into
Resource groups
Subscriptions: Manage costs for resources provisioned for
different teams or different projects or different business units
Management groups: Centralized management for access,
policy, and compliance across multiple subscriptions (https://docs.microsoft.com/)
Remember:
No hierarchy in resource groups BUT management groups can
have a hierarchy

119
Resource Groups
Resource Group: Logical container for resources
Associated with a single subscription
Can have multiple resources
(REMEMBER) A resource can be associated with one and only one resource group
Can have resources from multiple regions
Deleting it deletes all resources under it
Tags assigned to resource group are not automatically applied
to resources
HOWEVER, Permissions/Roles assigned to user at the resource group level
are inherited by all resources in the group
Resource Groups (like Management Groups) are free

120
Subscriptions
You need a Subscription to create resources in Azure
Subscription links Azure Account to its resources
An Azure Account can have multiple subscriptions and multiple
account administrators
When do you create a new subscription?
I want to manage different access-management policies for different environments:
Create different subscriptions for different environments
Manage distinct Azure subscription policies for each environment
I want to manage costs across different departments of an organization:
Create different subscriptions for different departments
Create separate billing reports and invoices for each subscription (or department) and manage costs
I'm exceeding the limits available per subscription
Example: VMs per subscription - 25,000 per region

121
Subscriptions - Remember
Two Subscriptions CANNOT be merged into one
HOWEVER, you can move resources from one to another (ex: VMs)
You can also transfer ownership of a subscription (Needs owner role)
If Subscription expires:
You will NOT be able to create new resources in the subscription
BUT you can continue to access the data stored
Each subscription is associated with quotas:
You can raise a support request to increase some of the quotas
You can convert a Free Trial to a Pay as you go subscription
Spending limit: Prevents spending over your credit amount
Azure free account (spending limit: $200) or credit subscription types have default
spending limits
You can't change spending limit BUT you can remove it

122
Management Groups
Allows you to manage access, policies, and
compliance across multiple subscriptions
Group subscriptions into Management Groups
All subscriptions & resources under a Management Group inherit
all constraints applied to it
(REMEMBER) You can create a hierarchy of
management groups
(REMEMBER) All subscriptions in a management group
should be associated with the same Azure AD tenant (https://docs.microsoft.com/)

123
Creating a Naming and Tagging Strategy
Managing Thousands of Resources:
Enterprises typically have thousands of cloud
resources
Questions to Address:
Who owns these resources?
Who tracks them?
Who is responsible for the costs?

124
Creating a Naming and Tagging Strategy - 2
1: Naming Pattern: Have a simple and consistent naming
pattern
2: Assign Multiple Tags: Assign tags to identify
Business unit, Application, Workload, Environment
Criticality level
Why?: Helps in quickly locating and managing resources
Implementation:
ARM templates: Use ARM templates to assign tags
Azure Policy: Utilize Azure Policy to enforce tagging rules and conventions

125
Core Azure identity services

126
Identity Management - What is it?
Diverse Resources: You have cloud resources and
internal/external applications
Varied Identities: Both human and non-human identities
need access to resources and perform actions
Example Actions: Launching, stopping, starting, or terminating a virtual
server; performing actions through an internal application
User Identification: How do you identify users?
User Permissions: How do you configure what resources they
can access? What actions they can perform?
Microsoft Entra ID (formerly Azure Active Directory): Provides
identity and access management services in Azure

127
Identity Management - Key Things to Know
Authentication: Is it the right user?
Authorization: Do they have the right access?
Challenge: Each app/service need to authenticate & authorize users
Localized Solutions?: Would it be efficient for each app and service to
store their own user details (including credentials)?
Centralized identity provider: What if we can store the user details
(including credentials) in a centralized way?
SSO (Single Sign-On): What if you can authenticate once and access
multiple apps and services?

128
Active Directory: What is it?
Active Directory: Very popular Microsoft's proprietary
directory service
Authentication and Authorization: Define users, credentials and their
access rights
Supports groups: Manage user permissions and access through group
policies
On-premises: Primarily used in on-premises environments for centralized
identity and access management
Active Directory Federation Services (AD FS): Enables SSO
Single Sign-On (SSO): Enables logging into multiple apps and services
with the same credentials
Convenience: Simplifies user experience by reducing the need to
remember multiple passwords

129
Microsoft Entra ID: What is it?
Microsoft Entra ID: Active Directory Service in Azure
Features:
Authentication and Authorization in Azure: Control internal/external users and
access to applications and Azure resources
Microsoft Entra MFA: Enable MFA - Multi Factor Authentication (Use 2 of 3
authentication methods)
Something you know, typically a password.
Something you have, trusted device
Something you are, fingerprint or face scan
Microsoft Entra self-service password reset: Global Administrators can enable the
feature to allow users to reset passwords by themselves
SSO: Enable applications to use Single Sign On

130
Role-Based Access Control (RBAC)
Configure Authorization: Which resources does a user
have access to and what can she do with them?
Role assignment has 3 parts:
Who? (principal)
What Permissions? (role)
What Scope? (resource OR resource group OR subscription OR
management group)
Example: Give permissions across multiple VMs
Create VMs in the same resource group (https://docs.microsoft.com/)
Assign role at resource group level

131
Role-Based Access Control (RBAC) - Multiple Levels
RBAC Scope can be
Resource OR
Resource Group OR
Subscription OR
Management Group
Recommended Approach: Azure role-based access
control (Azure RBAC) assignment at the management
group level
Why?: All subscriptions, resource groups, and resources (https://docs.microsoft.com/)
underneath that management group would also inherit those
permissions
Advantage: Simplified centralized access control

132
Microsoft Entra Connect: What is it?
Microsoft Entra Connect: Synchronize on-premises Active
Directory with Microsoft Entra ID
User Details Synchronization: Sync all user details, including
passwords
Unified Identity: Maintain a consistent identity across on-
premises and cloud environments
Seamless Integration: Ensures smooth interoperability
between on-premises and cloud directories
Hybrid Identity: Supports hybrid identity solutions, enabling
access to both on-premises and cloud resources

133
Exploring Microsoft Entra Domain Services
Active Directory (AD): Microsoft's very popular proprietary directory
service
Microsoft Entra ID: Managed Active Directory Service in Azure
Microsoft Entra ID is a toned down version of AD (works very
differently)
Microsoft Entra ID (flat structure) vs AD (hierarchical with organizational units - OUs
and group policy objects - GPOs)
Microsoft Entra ID (Web Based protocols - OAuth, SAML, Open ID) vs AD (Kerberos,
LDAP, NTLM)
What if you want use managed domain services (Domain joining,
group policy, LDAP, and Kerberos authentication) in Azure?
Use Microsoft Entra Domain Services

134
Exploring Microsoft Entra Conditional Access
When a user tries to authenticate, there are three important signals:
WHO is the user? (Administrator or Super User or User)
WHERE is she? (Which location? Is that a normal location for that user?)
WHAT device is she using? (Is this the device she usually logs in from?)
Can we build intelligence based on this information?
If the user is an administrator, mandate MFA
If the user is logging in from unapproved devices, deny access
If a user is logging in from a previously known location using a previously used
device, allow access without MFA
If a user is logging in from an unknown or unexpected location (different country,
for example), mandate MFA or even deny access
Conditional Access: Granular MFA experience

135
Passwordless authentication for Microsoft Entra ID
Complex security frustrates users: MFA - User
needs to remember passwords & have a
security device
How about simplifying security by going
passwordless?
Microsoft Entra ID - three options:
Windows Hello for Business: Credentials tied to PC (For
enterprise users who always perform tasks from their own PCs)
Microsoft Authenticator app: Uses employee's phone for
authentication (iOS or Android phone)
FIDO2(Fast IDentity Online) security keys
FIDO - open standard for passwordless authentication
FIDO2 - enables users to use common devices to authenticate to online
services (mobile and desktop)

136
Microsoft Entra ID & Azure Subscriptions - Remember
Subscription has a trust relationship with Microsoft Entra ID
Trusts Microsoft Entra ID to authenticate users, services, and devices
Multiple subscriptions can trust the same Microsoft Entra ID directory
However, each subscription can only trust only one directory
You can transfer an Azure subscription to a different Microsoft Entra
ID directory
When an Azure subscription expires:
Associated Microsoft Entra ID tenant is not deleted
You can link it with a different subscription

137
More Azure Security

138
Microsoft Defender for Cloud

Cloud security posture management (CSPM): Automate identification &

remediation of security risks of your cloud configuration
Cloud workload protection (CWP): Continuously monitor and fix threats to
workloads deployed in the cloud
Microsoft Defender for Cloud: Azure's solution for CSPM and CWP
Formerly called Azure Security Center
Protect your multicloud and hybrid cloud environments

139
Microsoft Defender for Cloud - Features

Continuous assessment - Understand your current security posture

Provides a secure score - higher the better
Secure - Harden all connected resources and services
Provides recommendations to improve your security posture
Automated fixes for many recommendations ("Fix" button)
Defend - Detect and resolve threats to resources and services
Detects threats to your resources and workloads
Get immediately alerted by e-mail and IT Service Management solutions

140
Exploring Just-in-Time (JIT) VM Access
Security Challenge: Open management ports, like RDP or SSH, are
potential targets for attacks
Our Goal: Reduce the attack surface of your virtual machines
Block Inbound Traffic: Prevent unwanted inbound traffic to your VMs
JIT VM Access: Enable Just-in-Time (JIT) VM Access
User Access Verification: When access is requested, Microsoft Defender for Cloud
verifies if the user has the appropriate permissions
Dynamic Configuration by Defender for Cloud: Network Security Groups (NSGs)
and Azure Firewall are configured to allow inbound traffic with constraints:
Permit access to the specified ports
Restrict access to the relevant IP address
Grant access for a specified amount of time

141
Security is Complex - CSPM vs SIEM vs SOAR
Cloud Security Posture Management (CSPM): Find
cloud misconfigurations by evaluating configurations
automatically and continuously
Best Practices: Check Adherence to best practices and
compliance rules
Security Information and Event Management (SIEM):
Collect and analyze log data from various sources to
identify potential threats
Security Automation, Orchestration, and Response
(SOAR): Prioritizes alerts based on threat levels
Automate responses to threats, when possible

142
Microsoft Sentinel - SIEM & SOAR
Comprehensive SIEM and SOAR Solution: Microsoft
Sentinel provides a powerful, cloud-native SIEM &
SOAR solution
SIEM: Security information and event management
SOAR: security orchestration, automation, and response
Centralized Security Dashboard: Provides Bird's-eye
security view across your enterprise
Modern SOC: Modernize your Security Operations
Center (SOC) with advanced threat detection,
investigation, and response capabilities

143
Microsoft Sentinel - SIEM & SOAR - 2
Scalable and Flexible: Elastically scale as your
organization grows, with no need for on-premises
infrastructure.
Event Storage: Store events in Azure Monitor Log
Analytics workspace or Azure Storage Account
Automation and Playbooks:
Automated Response: Automatically fix issues with built-in
automation capabilities
Playbooks: Use playbooks to automate and orchestrate
response actions

144
Azure Key Vault
Securely store and access secrets
Examples: API keys, passwords, certificates, or cryptographic keys
Provides access monitoring and access control for secrets
(Best Practice) Do NOT store secrets or passwords (example,
database passwords) in your application code or configuration
Use Azure Key Vault

145
Security Best Practice - Defense in Depth
A chain is only as strong as its weakest link - Secure
at all levels
Physical security: Control access to physical
infrastructure (Microsoft's Responsibility)
Identity and access: Proper Identities with RBAC. Use
SSO & MFA.
Perimeter: Azure DDoS Protection + Azure Firewall
Network: Limit network connectivity. Restrict internet
access (inbound and outbound).
Restrict communication between resources

146
Security Best Practice - Defense in Depth - 2
Compute:Secure access to virtual machines
Implement endpoint protection
Ensure that OS and software patches are applied
Application: Think of security from day one!
Implement security best practices depending on language and
framework
Store secrets in Azure Key Vault
Data: Encrypt data at rest and in transit
Best Practice: Implement security at all levels!

147
Zero Trust
Work (and employees) are increasingly going remote AND
Intensity and sophistication of cyber-attacks is growing everyday
How can enterprises prepare for this new reality?
Zero Trust: Microsoft's modern security strategy
Zero Trust Principles:
Verify explicitly: Use all info - identity, location, device, resource, data classification, time
Use least privilege access
Assume breach
A few best practices:
Apply zero trust: Human & non-human identities, networks, microservices, virtual machines, and workloads
End-to-end encryption
Continuous monitoring
Continuous updates to devices
Automated threat detection and response

148
Azure management tools

149
Azure Support Plans
Plans: Basic, Developer, Standard, Professional Direct (ProDirect)
Earlier plans - Premier, Professional Direct, Standard and Basic
Features supported for ALL plans
Billing and subscription management support
Ability to submit as many support tickets as you need
Azure Advisor (Automated Azure best practices)
Azure health status and notifications
24/7 self-help resources:
Documentation and community support (Forums - MSDN, StackOverflow)
Supported by Professional Direct ONLY
Support API (Create support tickets programmatically)
ProDirect delivery managers: Get proactive guidance. Request for service reviews
and advisory consultation.
Webinars led by Azure engineers

150
Azure Support Plans - Comparison
Feature Basic Developer Standard Professional Direct
Price FREE $ $$ $$$$$$
Scope All Trial and non- Production Business-critical
production environments applications
environments
Email & Phone NOT During business 24 X 7 24 X 7
support APPLICABLE hours by email only
Response time NOT Sev C:8 hours Sev C:8 hours, Sev B:4 Sev C:4 hours, Sev B:2
SLA APPLICABLE hours, Sev A: 1 hour hours, Sev A: 1 hour
Architecture NA General guidance General guidance Guidance from a pool of
Support ProDirect delivery
managers

151
Azure Advisor
Automated recommendations to improve reliability, security &
performance, achieve operational excellence & reduce costs
Take immediate actions or schedule or dismiss
Supports notifications for new recommendations
Filter recommendations by subscriptions, resource groups or service
Step-by-step guidance and quick actions for fast remediation
Gives you a total score: Score improves as you take remedial actions
Example Recommendations:
Reliability: Protect your VM data from accidental deletion (Identify VMs where backup isn't enabled)
Reliability: Create Azure Service Health alerts to be notified when Azure problems affect you
Cost optimization: Optimize VM spend by resizing or shutting down underutilized instances
Cost optimization: Optimize spend for MySQL, and PostgreSQL servers by right-sizing
Cost optimization: Delete unassociated public IP addresses to save money
Cost optimization: Use lifecycle management

152
Azure Monitor
Gather, analyze and visualize logs and metrics:
From Azure and on premise resources
Monitor resources across multiple subscriptions
Proactively identify issues and trigger alerts/automated actions
Things you can do with Azure Monitor:
Application Insights: Detect & diagnose application issues
VM insights: Monitor performance & health of your VMs and VM scale sets
Container insights: Monitor performance of container workloads (AKS, ACI etc)
Log Analytics: Trouble shoot issues using monitoring data extracted from logs
Create smart alerts (SMS, emails etc) and attempt to automatically take corrective action
Automatically send an alert if an Azure VM is stopped
Trigger alerts based on data in an Azure Log Analytics workspace
Auto scale based on thresholds
Create visualizations with Azure dashboards
Collect data from monitored resources using Azure Monitor Metrics
Monitor Azure Active Directory logs

153
Exploring Azure Log Analytics
Azure Monitor Logs: Collects log and
performance data from monitored resources
Where is the data stored?: Log Analytics workspace
You can use a single workspace for all your data collection
OR you can create multiple workspaces based on your location,
access and retention needs
Where does the data come from?: Azure Monitor and
other Azure services, such as Microsoft Sentinel and
Microsoft Defender for Cloud
Azure Log Analytics: Write and run log queries
on the data
Example 1: Aggregating logs from multiple VMs
Example 2: Analyzing logs from Microsoft Sentinel

154
Reliability and Predictability in the Cloud
Reliability: Ensuring continuous operation & automatic
recovery from failures
Multi-region Deployment: Deploy apps in multiple regions and zones
Automatic Recovery: Initiate automatic recovery actions in case of failures
Predictability: Ensuring consistent performance and costs
Performance Predictability:
Autoscaling: Automatically adjust resources based on demand
Load Balancing: Distribute traffic evenly across multiple servers
Cost Predictability:
Cost Estimation Tools: Use tools like Total Cost of Ownership (TCO) and Pricing
Calculator to estimate cloud spending
Resource Monitoring: Utilize Azure Monitor to track resource usage in real time

155
Azure Service Health
Personalized alerts and guidance for Azure service issues
Personalized based on your Azure usage - subscriptions, services and regions
Notifies about Azure service incidents & planned maintenance
Best place to know about outages, issues and planned maintenance
Best Practice: Set up Service Health alerts
Get notified about service issues
Channels: email, SMS, push notification, webhook etc
Hierarchy: Azure Status > Azure Service Health > Azure Resource
Health
Azure Status: Global view of the health of Azure services and regions
Azure Service Health : Personalized dashboard based on your Azure usage
Azure Resource Health : Provides information about the health of your individual
cloud resources such as a specific virtual machine instance
Azure service health can only inform (CANNOT prevent failure)

156
Azure Management Services - Scenarios
Scenario Solution
Get details of upcoming planned outages for services you are making use of Azure Service Health
Get details of services which will be decommissioned based on your Azure usage Azure Service Health
Get alerts for new recommendations to improve reliability, security and Azure Advisor
performance, achieve operational excellence and reduce costs
Set up alerts for incidents & planned outages for services you are making use of Azure Service Health
Set up alerts for issues specific to your resources - VM goes down or Database Azure Monitor
goes down or Autoscaling is triggered
Solve your application related issues Azure Monitor
(Application Insights)

157
Azure Management Services - Scenarios - 2
Scenario Solution
Get suggestions on how to reduce costs of your Azure resources Azure Advisor
Get suggestions on how to improve reliability of your Azure resources Azure Advisor
Get suggestions on how to improve security of your Azure resources Azure Advisor
You want to find out if you are adhering to recommended Azure best practices Azure Advisor
Track performance of a specific database or a VM instance Azure Monitor
Gather metrics that are tailored for your application Azure Monitor

158
Azure governance features

159
Azure Policy
How do you ensure that resources stay compliant with your
policies?
Create, assign, and manage policies
Automatically ensure that resources stay compliant with defined standards and SLAs
Manage compliance of resources across multiple subscriptions
Assigned to a management group, a single subscription, or a resource group
Initiatives: Group of policies
Azure provides some predefined initiatives:
Azure Security Benchmark, UK OFFICIAL and UK NHS, HIPAA etc
View them under Policy> Authoring > Definitions
Compliance dashboard: Aggregated view of the overall compliance
with options to drill down to specific resource/policy
Use cases: Governance for resource consistency, regulatory
compliance, security, cost, and management

160
Azure Policy - Examples and more..
Examples:
Only allow creation of VMs of specific sizes
Only allow creation of resources in a specific region
Automatically tag all resources in a resource group with the same tags as that of the
resource group
MFA should be mandatory for certain types of accounts
Existing non-compliant resources will be marked as non-compliant
But they will continue to work as is
Policy evaluation is NOT immediate
Approx: once every hour

161
Azure Blueprints
Azure Blueprint = One or more of (Policy + Role + ARM template +
Resource Group) configurations
Different pre-built blueprints available
Australian Government, UK OFFICIAL, Azure Security Benchmark, Basic Networking, Common
Policies (Set of popular policies to apply to a subscription), FedRAMP, HIPAA etc
Your architecture team can create blueprints adhering to your
organization's standards, patterns, and requirements
And your teams use the blueprints to create Azure resources
Blueprints can be assigned to individual subscriptions
Blueprints can be used to set up resource groups within subscriptions
Helps teams to quickly set up environments adhering to organizational standards
You can even setup an automated CI/CD pipeline

162
Cloud Adoption Framework for Azure

(https://docs.microsoft.com/)

163
Resource Locks
Prevent accidental deletion/modification of resources:
Applicable at multiple levels: subscription, resource group, or resource
Azure Resource inherits locks from its resource group and subscriptions
Two options: CanNotDelete and ReadOnly
Locked resource should be unlocked before it can be changed (even by owners)
Two Options:
ReadOnlyLock : Authorized users can read BUT they can't delete or update the
resource
CannotDelete : Authorized users can read and modify BUT they can't delete the
resource
Example : If a Resource Group has a Delete Lock, then administrator
can first remove DELETE lock before she can delete the resources
You can have multiple locks at different levels

164
The Need for Data Governance
Data Proliferation: Exponential growth of data makes
managing and securing data increasingly challenging
Regulatory Compliance: Compliance with regulations
- GDPR, HIPAA, .. is crucial to avoid penalties
Data Security: Protecting sensitive data from
breaches and unauthorized access is critical
Data Quality: Having high-quality data is important to
provide accurate analytics and business decisions
Data Lineage and Auditing: Track the origin,
movement, and transformation of data to ensure its
integrity and transparency

165
Microsoft Purview: Unified Data Governance in Azure
Unified Data Governance: Microsoft Purview provides
a comprehensive platform for data governance
Data Discovery and Classification: Automatically
discover and classify sensitive data in on-premises,
multi-cloud, and SaaS environments
Data Catalog: Build a data catalog that allows users to
easily find, understand, and consume data
Data Access Policies: Implement and enforce data
access policies to ensure data privacy and security
Integration: Seamlessly integrates with Microsoft 365,
Azure, ... to provide a unified governance experience

166
Privacy and Compliance

167
Azure - Privacy & Information Protection
Service/Documentation Description
Microsoft Privacy Explains the personal data Microsoft processes, how Microsoft processes it, and
Statement for what purposes.
Product Terms Site Terms and conditions for software and online services products.
Data Protection Your and Microsoft's obligations with respect to the processing and security of
Addendum Customer Data and Personal Data in connection with Azure
Search for DPA at https://www.microsoft.com/licensing/docs.
Covers Data transfer, Data retention, Data deletion and Data Security
Azure Information Classify and protect your documents and emails
Protection Add labels indicating what kind of protection/encryption you want
Uses Azure Rights Management (Azure RMS) - Integrates with Office 365, Azure
Active Directory etc
Protection stays with the documents and emails independent of the location,
networks, file servers, and applications

168
Compliance & Azure - Compliance Hub & more...
What is Compliance?
Depending on the domain of your enterprise, you need to adhere to several
industry and security standards (in addition to corporate and regulatory policies)
You are using services provided by Azure and storing data in Azure
What standards & regulations does Azure services adhere to?
Service Trust Portal: https://servicetrust.microsoft.com
How does Azure help you with compliance?
Azure Compliance Hub: https://docs.microsoft.com/en-us/azure/compliance/
Azure Security and Compliance Blueprints - Easily create environments compliant with different
standards - ISO:27001, PCI DSS etc
Azure Compliance Manager: Part of Service Trust Portal
Automates complete compliance lifecycle: Manage Risks, Implement Controls, Check compliance
against regulations and standards,Reporting to Auditors

169
Compliance & Azure - Important Standards to Remember
90+ Azure compliance offerings can be grouped into four segments:
Global, US government, industry specific, and region/country specific
50+ compliance offerings specific to global regions and countries (the US, the
European Union, Germany, etc.)
35+ compliance offerings specific to the needs of key industries ( health,
government, finance etc)
Important Standards to Remember:
International Organization for Standardization (ISO): ISO:27001 (Security controls),
ISO:27017(Security controls for use of cloud services), ISO:27701 (privacy standard), ISO:27018
(privacy on cloud)
Service Organization Compliance (SOC): SOC-1 (Auditing standard), SOC-2 (Assessment of service
provider controls)
General Data Protection Regulation (GDPR): Strengthens personal data protection in Europe
Health Insurance Portability & Accountability Act (HIPAA): Data privacy & security requirements for
organizations handling PHI
Payment Card Industry - Data Security Standards (PCI-DSS)

170
Azure & Compliance - A Quick Summary
Service Description
Service Trust Portal Independent audit reports for Microsoft's Cloud services
https://servicetrust.microsoft.com

Azure Compliance Hub Compliance offerings in Azure

https://docs.microsoft.com/en-us/azure/compliance/
Offers blueprints to simplify your compliance implementations
Azure Compliance Manager Manage your organization’s compliance requirements
Part of Service Trust Portal

171
Azure Sovereign Regions
Service Detail
Azure global What we are using until now!
Azure Cloud environment specifically built to meet compliance and security requirements for US
Government government
Examples: FedRAMP (Federal Risk and Authorization Management Program), NIST (National
Institute of Standards and Technology), ITAR (International Traffic in Arms Regulations), IRS
1075 (Internal Revenue Service), DoD (U.S. Department of Defense) L4, and CJIS (Criminal
Justice Information Services)
Uses physically isolated data centers and networks located in US
Only US government entities and contractors are eligible to use Azure Government services
Azure China Physically separated instance of cloud services located in China
Operated by 21Vianet (Azure China)
Complies with regulation in China (China Telecommunication Regulation)
Azure Physically isolated instance of Microsoft Azure in Germany. No longer accepting customers!
Germany

172
 Azure cost management -
planning and managing costs

173
Consumption-based vs Fixed-price Pricing Models
Consumption-based - You are billed for only what you use
Example: Azure Functions - You pay for no of invocations!
Fixed-price - You are billed for instances irrespective of
whether they are used or not
Example: You provision a VM instance
You pay for its lifetime irrespective of whether you use it or NOT
Example: App Service - You choose App Service plan (Basic, Standard or
Premium plans)
You are billed irrespective of whether you use it or not

174
Expenditure Models: CapEx vs OpEx
Capital Expenditure (CapEx): Money spent to buy
infrastructure
Additional cost to maintain infrastructure with time
You might need a team to manage the infrastructure
Example: Deploying your own data center with physical servers
Example: Purchasing Azure Reserved VM Instances
Example: Leasing Software
Operational Expenditure (OpEx): Money spent to use a
service or a product
Zero upfront costs
You Pay for services as you use them (Pay-as-you-go model)
Example: Provisioning VMs as you need them
Example: Using Azure Functions and paying for invocations

175
Total Cost of Ownership (TCO) calculator

Estimate the cost savings you get by migrating your workloads to Azure
1: Define your workloads: Enter the details of your on-premises workloads
Servers, Databases, Storage, Networking details
2:Adjust assumptions: Customize Electricity costs, Storage costs, IT labour
costs, Hardware costs, Software costs etc
3:View report: Side-by-side comparison of the cost breakdown

176
Pricing calculator
Estimate the costs for Azure services
Example Services that you can estimate costs for:
Virtual Machines
Storage Accounts
Azure SQL Database
App Service
Azure Cosmos DB
Azure Kubernetes Service (AKS)
Azure Functions
Ideal place to explore and learn important factors about
different Azure services

177
How is cost decided?
Factor Details
Resource type and How much memory? How much CPU? Which access tier?
configuration
Usage meters How long was your VM running for? How much ingress and How much egress?
How many invocations of an Azure function?
Azure subscription type Free trial vs Pay as you go vs Enterprise Agreement
Azure Marketplace Vendors decide pricing on Azure Marketplace
Which Region? Price varies from Region to Region
Data transfer Ingress and Egress
Inbound data from on-premises to Azure is free
Outbound data from Azure to On-Premises is NOT free
Data traffic between Azure Services in the same region/AZ is free
Reserved or Not Some services offer reservations ahead of time

178
Azure Cost Management
Setup and manage your account
Configure subscriptions, manage invoices and payment methods
Analyze and optimize cloud costs
Break down and analyze costs to get a deeper understanding of cost and usage
patterns
Control and optimize costs
Setup Budget and Cost Alerts

179
Managing Costs - Best Practices
Estimate costs before you deploy (Pricing Calculator)
Calculate TCO
Group resources based on cost ownership
Subscriptions, Resource Groups, Tags
Use Cost Management features
Cost analysis
Budgets and Cost alerts
Advisor recommendations
Stop Resources when you don't need them
(Remember) You pay for active resources
Even if you stop a VM, hard disks and data are still stored. You need to pay for storage.
Use Managed Services (PaaS >>> IaaS)
Reserve VMs for 1 or 3 years (Azure Reservations)

180
Requesting a Credit from Microsoft
Service Level Agreement (SLA): Describe
Microsoft’s commitments for uptime and
connectivity for Azure Services
Example: Single VM with Premium SSD or Ultra Disk:
99.9% Availability
What happens when Microsoft does not meet
the SLA?
Very Rare: Rare when Microsoft does not meet its SLA
What Should You Do?: Submit a support ticket with a
completed credit request form
Details Needed: Provide details like customer
tenant ID and proof of service impact

181
Understanding Costs in Azure - Scenarios
Scenario Solution
Fixed-price or Consumption-based: You are using Azure Functions and want to Consumption-based
pay for the number of invocations pricing
OpEx or CapEx: You are deploying your own data center with physical servers Capital Expenditure
(CapEx)
OpEx or CapEx: You are using Azure Functions and paying for invocations Operational Expenditure
(OpEx)
You want to estimate cost savings when you migrate to Azure Use the TCO calculator
You need to estimate costs for Virtual Machines, Storage Accounts, Azure SQL Use the Pricing Calculator
Database, etc.
You want to break down and analyze last month costs in Azure Use Azure Cost
Management
You need to control and optimize costs with budgets and cost alerts Use Azure Cost
Management

182
More Azure

183
Tags
Identify applications, environments or business units that a
specific resource is associated with
Report and track costs for a group of resources by assigning them with the
same tag
Group resources based on their SLA, security or compliance requirements
Best Practice: Identify mandatory tags that all resources
should have and enforce it using Azure Policy
Example: Environment, BusinessUnit, Priority
Tags for Resources are not inherited by default from their
Resource Group

184
Azure Virtual Desktop: Cloud Based Virtual Desktop
Azure Virtual Desktop: Desktop & application
virtualization service
Windows Operating Systems: Provides cloud-
hosted Windows experiences (Windows 11,
Windows 10, Windows Server 2022, 2019,
2016, etc.)
Ultimate Device Compatibility: Accessible
from almost any device and operating system,
offering flexibility for users.
Integration: Seamlessly integrates with
Microsoft Entra ID for role-based access
control(RBAC)

185
Azure Virtual Desktop: Advantages
Multi-Session Deployment: Enables multiple
concurrent users on a single VM, cutting costs
Efficient use of resources
Cost Efficiency: Pay only for the resources you
use, optimizing expenditure
Enhanced Security: Ensures data and
applications are securely stored in the cloud,
leaving nothing on the user's local machine

186
Azure Marketplace
Discover, try, and deploy the cloud software you want
https://azuremarketplace.microsoft.com
Customized and certified solutions optimized for Azure,
provided by Microsoft partners and other software vendors
Provision end-to-end solutions (applications and services)
Solutions under a variety of categories
Compute, Containers, Databases, Developer Tools, DevOps etc
Run Wordpress, RabbitMQ, CouchDB etc
Flexible Hourly Billing

187
Azure Migrate
Azure Migrate: Central hub to manage your Azure migration
A host of tools are offered under the umbrella of Azure Migrate
1: Azure Migrate - Discovery and assessment: Assess
migration for on-premises servers, applications, and data
2: Azure Migrate: Server Migration: Migrate your VMs (from
your data center and other clouds) to Azure
3: Azure Database Migration Service: Migrate databases to
Azure
4: Web app migration assistant : Migrate web apps to Azure
App Service
5: Azure Data Box: Offline data transfer to Azure

188
Azure Data Box: Physical migration to Azure
Migrate Huge Volumes of Data: What if you need to move tens
of Terabytes of data quickly to Azure?
Online transfer insufficient: What if online data transfer is too
slow?
Azure Data Box: Physical migration service
Recommended to transfer data sizes larger than 40 TBs
STEPS:
1: Order the Data Box device via the Azure portal
2: Copy data into it
3: Return it back to Microsoft
4: Data automatically uploaded once Microsoft receives the Data Box back

189
Azure Data Box Products: Provide Flexibility
Variety of Products: Move large amounts of
data offline to Azure
Data Box Disk: 8-TB SSD. Comes in packs of 5
for a total of 40 TB.
Data Box: 100-TB capacity
Data Box Heavy: Designed to lift 1 PB of data
to the cloud

190
Azure DNS - What does it do?
Steps: What would be the steps in setting up a
website with a domain name (for example,
in28minutes.com)?
Step I : Buy the domain name in28minutes.com
(Domain Registrar)
Step II : Setup your website content (Website Hosting)
Step III : Route requests to in28minutes.com to the my
website host server (DNS)
Azure DNS: Helps you route requests to
in28minutes.com to my website host server
(Step III)
Setup your DNS routing for in28minutes.com

191
Azure DNS - How does it work?
Configure Records: Where should traffic be
routed for in28minutes.com?
Route api.in28minutes.com to the IP address of api
server
Route static.in28minutes.com to the IP address of http
server
Route email ([email protected]) to the mail
server(mail.in28minutes.com)
TTL: Each record is associated with a TTL
(Time To Live)
How long is your mapping cached at the routers and
the client?

192
Content Delivery Network - What is it?
Slow Load Times: Users experience slow load times
when accessing content hosted far from their location
Global Audience: How to deliver content quickly to
your global audience?
Content Delivery Network (CDN): System of
distributed servers that deliver content to users based
on their geographic location
Global Distribution: Servers (edge locations) are spread across
multiple geographic locations
Caching: Stores copies of content closer to end-users to reduce
latency

193
Azure Front Door - What is it?
Azure Front Door: Microsoft’s modern cloud Content
Delivery Network (CDN)
Fast, reliable, and secure access: For your end users
to your applications’ static and dynamic web content
across the globe
Uses Microsoft’s global edge network: Delivers your
content to hundreds of global and local points of
presence (PoPs) distributed around the world

194
DevOps

195
DevOps

Getting Better at "Three Elements of Great Software Teams"

Communication - Get teams together
Feedback - Earlier you find a problem, easier it is to fix
Automation - Automate testing, infrastructure provisioning, deployment, and monitoring

196
DevOps - CI, CD
Continuous Integration
Continuously run your tests and packaging
Continuous Deployment
Continuously deploy to test environments
Continuous Delivery
Continuously deploy to production

197
Azure DevOps - CI, CD Tools
Azure Repos - Private source control (Git)
Alternative: GitHub - Public and Private Source Control
Azure Pipelines - Orchestrate CI/CD pipelines
Alternative: GitHub Actions
Azure Boards - Scrum, Agile and Kanban boards
Azure Artifacts - Artifact repository to store artifacts
Azure Test Plans - Automation Test tool to check software
quality
Integrate it into your CI/CD pipelines

198
DevOps - IAAC

Treat infrastructure the same way as application code

Track your infrastructure changes over time (version control)
Bring repeatability into your infrastructure
1: Infrastructure Provisioning
Provisioning compute, database, storage and networking
Open source cloud neutral - Terraform
Azure Service - Azure Resource Manager Templates (can also use Powershell or Azure CLI automation)
2: Configuration Management
Install right software and tools on the provisioned resources
Open Source Tools - Chef, Puppet, Ansible

199
Azure Resource Manager (ARM) templates - Introduction
Lets consider an example:
I would want to create a new VNet with two subnets
I want to provision a Load Balancer, Scale Set with 5 VM instances and an
Azure Cosmos DB database in the subnet
I would want to setup the right network security groups
AND I would want to create 4 environments
Dev, QA, Stage and Production!
Azure Resource Manager (ARM) templates can help you do all
these with a simple (actually NOT so simple) script!

200
Azure Resource Manager (ARM) templates - Advantages
Define resources in a JSON file - ARM template
Advantages:
Avoid configuration drift
Avoid mistakes with manual configuration
Think of it as version control for your environments
Declarative approach to Infrastructure as Code:
Understands dependencies and creates them in the right order
Parallelizes creation of resources when possible
Automatically rollback in case of failures
PowerShell and Bash scripts can also be used for IaaC
But they need step by step instructions
1: Do this
2: Do that..
And they don't handle failures very well

201
ARM Templates - JSON can be verbose
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
},
"storageAccountName": {
"type": "string",
"defaultValue": "[format('toylaunch{0}', uniqueString(resourceGroup().id))]"
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-04-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2",
"properties": {
"accessTier": "Hot"
}
}
]
}

202
Bicep - What is it?
Lets consider an example:
I would want to create a new VNet with two subnets
I want to provision a Load Balancer, Scale Set with 5 VM instances and an
Azure Cosmos DB database in the subnet
I would want to setup the right network security groups
AND I would want to create 4 environments
Dev, QA, Stage and Production!
AND I don't want the verbosity of JSON ARM Templates
Bicep: Domain-specific language (DSL) that uses declarative
syntax to deploy Azure resources

203
Bicep - An example file
param location string = resourceGroup().location
param storageAccountName string = 'toylaunch${uniqueString(resourceGroup().id)}'

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = {

name: storageAccountName
location: location
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
properties: {
accessTier: 'Hot'
}
}

Advantages:
Concise syntax
Support for code reuse
First-class authoring experience

204
Azure Resource Manager

(https://docs.microsoft.com/)
Deployment and management service for Azure
All actions to any resource in Azure go through ARM
Irrespective of where you are performing it from
Azure portal OR Powershell OR CLI or ARM template or ...

205
Azure Portal, PowerShell, CLI, Cloud Shell, & Mobile App
Tool Details
Azure Portal Web-based user interface. Great to get started BUT NO automation possible.
Runs in all modern desktop and tablet browsers
Azure Mobile App iOS and Android Apps (subset of features). Convenience of managing from anywhere.
Azure PowerShell Execute cmdlets (sequence of commands) and create scripts (PowerShell script)
Recommended for teams familiar with Windows administration
Cross-platform (Windows, Linux, and macOS)
Azure CLI Similar to Azure PowerShell BUT uses a different syntax (Bash Scripts)
Recommended for teams familiar with Linux administration (and Bash Scripts)
Cross-platform (Windows, Linux, and macOS)
Azure Cloud Shell Free Browser based interactive shell (Access from Azure Portal)
Common Azure tools pre-installed and configured to use with your account
Supports both PowerShell and CLI (bash)
Runs in all modern desktop and tablet browsers

206
Scenarios - Azure Portal, PowerShell, CLI ....
Scenario Solution
Can you run PowerShell scripts using Azure CLI? No. You can use either Azure Shell or Azure
PowerShell.
Which OS can Azure CLI, PowerShell, Cloud Shell and Windows, Linux and Mac
portal run on?
Where can Azure Cloud shell be accessed from? Browser-based shell - Access from desktops
(Windows, Mac, ChromeOS, Linux), mobile,
tablet.
Tool to analyze costs and run reports during a cost review Azure portal or Azure mobile app
meeting
Tool for one time testing, management, and Azure PowerShell, Azure CLI, Azure portal or
administrative actions (Ex: create a VM or create a group Azure mobile app
of resources)
Repeatedly set up resources across multiple environments ARM templates

207
DevTest Labs
Quickly provision development and test environments
Build Windows and Linux environments
Uses ARM templates: can be used to deploy anything in Azure
Compute - VMs etc
Storage
Databases ...
Can be integrated into your CI/CD pipelines
Set automated shutdowns to minimise costs
Usecases:
Quickly test your application with an old version of software or OS
Setup a quick load test environment for your app
Quickly provision 100 VMs for testing a specific scenario
Quickly provision environments for training and demos

208
Quick Review

209
Compute
Azure Service Name Description
Azure VMs Windows or Linux VMs (IaaS)
Use VMs when you need control over OS OR you want to run custom software
Azure VM Scale Sets Scaling for Azure VMs
Azure Load Balancer Balance load to multiple instances of an application or a service.
Typically listed in Networking category.
Azure App Service PaaS. Deploy web apps, mobile back ends and RESTful APIs quickly.
Azure Container Instances Run isolated containers, without orchestration.
You DO NOT need to provision and manage VMs. Start containers in seconds.
Azure Kubernetes Service Managed Kubernetes Service. Provides container orchestration.
Azure Service Fabric Microsoft's container orchestrator for cloud and on-premises.
Package, deploy, and manage scalable and reliable microservices
Azure Functions Serverless compute for event-driven apps

210
Networking
Azure Service Name Description
Azure Virtual Network Create your own private network in the cloud
Azure Firewall Stateful firewall to protect resources in your Azure Virtual Network
Azure DDoS Protection Protects Azure-hosted applications from DDOS attacks
Azure ExpressRoute Dedicated private connection from Azure to on-premises
Azure VPN Gateway Encrypt traffic between virtual network & on-premises
Traffic goes over Internet (public).
Azure DNS Manage your DNS records
Map Domain Name to IP Address
Azure Content Delivery Network Cache content on edge servers (POPs) located around the world
Minimize latency to global users

211
Storage
Service Description
Azure Disk storage Store disks attached to VMs.
Azure Blob storage Store unstructured data - video files, database archives etc.
Azure File storage Create file shares or file servers in the cloud
Azure Queue Decouple applications using a queue (asynchronous communication)
storage
Azure Table storage Store structure data using NoSQL approach (NON-relational). Schemaless. Key/attribute
store.

212
Databases
Service Description
Azure Cosmos DB NoSQL database. Globally distributed.
Azure SQL Database Relational database
Azure Database for MySQL Fully managed MySQL database
Azure Database for PostgreSQL Fully managed PostgreSQL database
Azure Database Migration Service Migrate databases to the cloud
Azure Cache for Redis Managed service for Redis

213
Key Benefits Enabled by Cloud Computing
Terminology Description
Elasticity Ability to automatically scale resources up or down based on demand
Agility Adapt to changing business needs. Quickly delivery software. Adapt new services rapidly.
Availability Are apps available when your users need them?
Scalability Can we handle a growth in users, traffic, or data size without any drop in performance?
Geo-distribution Distribute applications across regions and zones. Deliver content from the nearest geo
location.
Predictability Predictable performance and costs
Reliability Ability of a system to automatically recover from failures
Disaster How to keep your systems running in face of disasters?
Recovery

214
Get Ready

215
Certification Exam
Azure Fundamentals: Certification Home Page
Different Types of Multiple Choice Questions
Type 1 : Single Answer - 2/3/4 options & 1 right answer
Type 2 : Multiple Answer - 5 (or more) options and 2 (or
more) right answers
No penalty for wrong answers
Feel free to guess if you do not know the answer
40-60 questions and 80 minutes
Immediate Result: Result immediately shown
after exam completion
Detailed Email Later: Email with detailed
scores (a couple of days later)

216
Certification Exam - My Recommendations
Read the question: Read the entire question
Key Parts: Identify the key parts of the
question
Read all options: Read all answers at least
once
Eliminate wrong answers: If you do NOT
know the answer, eliminate wrong answers
first
Mark questions and Review: Mark questions
for future consideration and review them
before final submission

217
You are all set!

218
Let's clap for you!
You have a lot of patience! Congratulations
You have put your best foot forward to get Microsoft Certified - Azure
Fundamental
Make sure you prepare well and
Good Luck!

219
Do Not Forget!
Recommend the course to your friends!
Do not forget to review!
Your Success = My Success
Share your success story with me on LinkedIn (Ranga Karanam)
Share your success story and lessons learnt in Q&A with other learners!

220
Fastest Learning Roadmaps From in28minutes
Azure
AWS
Google Cloud
DevOps
Python
Java
Full Stack
Microservices
Spring Boot
Visit https://in28minutes.com/roadmaps

221