Scribd
Upload
116 views62 pages

002 Azure Intro Azure Architecture and Services

azure concepts

Uploaded by

devu02022002
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
116 views62 pages

002 Azure Intro Azure Architecture and Services

azure concepts

Uploaded by

devu02022002
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 62

AZ-900

Learning path 02:


Azure architecture
and services

© Copyright Microsoft Corporation. All rights reserved.


Learning path outline

© Copyright Microsoft Corporation. All rights reserved.


Learning path 02―outline
You will learn the following
concepts:
1 Azure architectural components
• Regions and availability zones
• Subscriptions and resource groups

2 Compute and networking


• Compute types
• Application hosting
• Virtual networking

3 Storage
• Storage services
• Redundancy options
• File management and migration

4 Identity, access, and security


• Directory services
• Authentication methods
• Security models

© Copyright Microsoft Corporation. All rights reserved.


Azure accounts

• Azure account

• Azure free account

• Azure free student


account
• Microsoft Learn
sandbox

© Copyright Microsoft Corporation. All rights reserved.


Walkthrough―create an Azure account

Create a free Azure


account
1. Create a free Azure free
account.

© Copyright Microsoft Corporation. All rights reserved.


Exercise―explore the Learn sandbox

Explore the Learn


sandbox
1. Activate the sandbox
2. Use PowerShell
3. Shift to BASH
4. Shift to Azure Interactive
mode
5. Navigate the portal

© Copyright Microsoft Corporation. All rights reserved.


Azure architectural
components

© Copyright Microsoft Corporation. All rights reserved.


Core Azure architectural components―objective
domain
• Describe Azure regions, region pairs, and sovereign regions.

• Describe Availability Zones.

• Describe Azure datacenters.

• Describe Azure resources and Resource Groups.


• Describe subscriptions.

• Describe management groups.

• Describe the hierarchy of resource groups, subscriptions, and management groups.

© Copyright Microsoft Corporation. All rights reserved.


Regions

Azure offers more


global regions than
any other cloud
provider with 60-
plus regions
representing over
140 countries

• Regions are made up of one or more datacenters in close proximity.


• They provide flexibility and scale to reduce customer latency.
• Regions preserve data residency with a comprehensive compliance offering.

© Copyright Microsoft Corporation. All rights reserved.


Availability zones

• Provide protection
against downtime due Azure Region
to Availability Zone 1 Availability Zone 2
datacenter failure.
• Physically separate
datacenters within the
same region.
• Each datacenter is
equipped with
independent power,
cooling, and
networking. Availability Zone 3
• Connected through
private fiber-optic
networks.
© Copyright Microsoft Corporation. All rights reserved.
Region pairs

• At least 300 miles of Region Region


separation between region North Central US​ South Central US​
pairs. East US​ West US​
West US 2​ West Central US​
• Automatic replication for
US East 2​ Central US​
some services.
Canada Central​ Canada East​
• Prioritized region recovery in North Europe​ West Europe​
the event of outage. UK West​ UK South​
• Updates are rolled out Germany Central​ Germany Northeast​
South East Asia​ East Asia​
sequentially to minimize
East China​ North China​
downtime.
Japan East​ Japan West​
• Web link: Australia Southeast​ Australia East​
https://aka.ms/PairedRegions India South​ India Central​
Brazil South (Primary)​ South Central US ​
© Copyright Microsoft Corporation. All rights reserved.
Azure sovereign regions (US government services)

Meets the security and


compliance needs of US
federal agencies, state
and local governments,
and their solution
providers.
Azure government:
• Separate instance of
Azure.
• Physically isolated from
non-US government
deployments.
• Accessible only to
screened, authorized
personnel.

© Copyright Microsoft Corporation. All rights reserved.


Azure sovereign regions (Azure China)
Microsoft is China’s first foreign public cloud service provider, in compliance
with government regulations.

Azure China features:


• Physically separated instance of Azure cloud services operated by
21Vianet.
• All data stays within China to ensure compliance.

© Copyright Microsoft Corporation. All rights reserved.


Walkthrough―explore the Azure global infrastructure

Explore the Azure


global infrastructure
1. Select Explore the
Globe
(after intro).
2. Notice the different icons
(geography, regions,
points of presence (PoP),
and so on).
3. Find your location on the
globe, then find the
nearest PoP and region to
your location.

© Copyright Microsoft Corporation. All rights reserved.


Azure resources
Azure resources are components like storage, virtual machines, and
networks that are available to build cloud solutions.

Virtual machines Storage accounts Virtual networks

App services SQL databases Functions

© Copyright Microsoft Corporation. All rights reserved.


Resource groups

A resource group is Resource groups


a container you use to (web plus DB, VM, storage) in one
manage and group
aggregate resources
in a single unit.
• Resources can exist in OR
only one resource group.
• Resources can exist in
different regions.
• Resources can be moved
Web Virtual
to different resource and DB machine Storage
groups. resource resource resource
group group group
• Applications can utilize
multiple resource
groups.
© Copyright Microsoft Corporation. All rights reserved.
Azure subscriptions

An Azure subscription
provides you with
authenticated and
authorized access to
Azure accounts.
• Billing boundary:
Generate separate
billing reports and
invoices for each
subscription.
• Access control
boundary: Manage and
control access to the
resources that users can
provision with specific
subscriptions.
© Copyright Microsoft Corporation. All rights reserved.
Management groups

• Management groups
can include multiple
Azure subscriptions.
• Subscriptions inherit
conditions applied to
the management
group.
• 10,000 management
groups can be
supported in a single
directory.
• A management group
tree can support up to
six levels of depth.
© Copyright Microsoft Corporation. All rights reserved.
Exercise―create an Azure resource

Create an Azure
resource and monitor
the resource group for
the required resources
being created in the
same group.
1. Create a virtual machine.
2. Monitor the resource
group.

© Copyright Microsoft Corporation. All rights reserved.


Compute and networking

© Copyright Microsoft Corporation. All rights reserved.


Compute and networking―objective domain

Describe the benefits and usage:


• Compare compute types, including container instances, virtual machines, and functions.

• Describe virtual machine options, including virtual machines (VMs), virtual machine scale
sets, virtual machine availability sets, and Azure Virtual Desktop.
• Describe the resources required for virtual machines.

• Describe application hosting options, including Azure Web Apps, containers, and virtual
machines.
• Describe virtual networking, including the purpose of Azure Virtual Networks, Azure virtual
subnets, peering, Azure DNS, VPN Gateway, and ExpressRoute.
• Define public and private endpoints.

© Copyright Microsoft Corporation. All rights reserved.


Azure compute services
Azure compute is an on-demand service that provides computing resources
such as disks, processors, memory, networking, and operating systems.

Virtual App Container Azure Kubernetes Azure Virtual


Machines Services Instances Services (AKS) Desktop

© Copyright Microsoft Corporation. All rights reserved.


Azure virtual machines

Azure virtual
machines (VMs) are
software emulations
of physical computers.
• Includes virtual
processor, memory,
storage, and
networking.
• IaaS offering that
provides total control
and customization.

© Copyright Microsoft Corporation. All rights reserved.


VM scale sets

Scale sets provide a


load-balanced
opportunity to
automatically scale
resources.
• Scale out when resource
needs increase.
• Scale in when resource
needs are lower.

© Copyright Microsoft Corporation. All rights reserved.


VM availability sets

© Copyright Microsoft Corporation. All rights reserved.


Exercise―create a virtual machine

Create a virtual
machine in the Azure
portal, connect to the
virtual machine,
install the web server
role, and test.
1. Create the virtual
machine.
2. Install the web server
package.

© Copyright Microsoft Corporation. All rights reserved.


Azure Virtual Desktop

Azure Virtual
Desktop is a desktop
and app virtualization
that runs in the cloud.
• Create a full desktop
virtualization
environment without
having to run additional
gateway servers.
• Reduce risk of resource
being left behind.
• True multisession
deployments.

© Copyright Microsoft Corporation. All rights reserved.


Azure container services
Azure containers provide a lightweight, virtualized environment that does
not require operating system management, and can respond to changes on
demand.
Azure Container Instances: A PaaS offering that runs a container or pod
of containers in Azure.

Azure Container Apps: A PaaS offering, like container instances, that can
load balance and scale.

Azure Kubernetes Service: An orchestration service for containers with


distributed architectures and large volumes of containers.

© Copyright Microsoft Corporation. All rights reserved.


Azure Functions

Azure Functions: A PaaS offering that supports serverless compute


operations.
Event-based code runs when called without requiring server infrastructure
during inactive periods.

© Copyright Microsoft Corporation. All rights reserved.


Comparing Azure compute options

Virtual machines Virtual Desktop Containers


• Cloud-based server that • Provides a cloud-based • Lightweight, miniature
supports either Windows personal computer environment well suited for
or Linux environments. Windows desktop running microservices.
experience.
• Useful for lift-and-shift • Designed for scalability and
migrations to the cloud. • Dedicated applications to resiliency through
connect and use, or orchestration.
• Complete operating
accessible from any
system package, including • Applications and services
modern browser.
the host operating system. are packaged in a container
• Multiclient login allows that sits on top of the host
multiple users to log into operating system. Multiple
the same machine at the containers can sit on one
same time. host OS.

© Copyright Microsoft Corporation. All rights reserved.


Azure App Services

Azure App Services is


a fully managed
platform to build,
deploy, and scale web
apps and APIs quickly.
• Works with .NET, .NET
Core, Node.js, Java,
Python, or php.
• PaaS offering with
enterprise-grade
performance, security,
and compliance
requirements.

© Copyright Microsoft Corporation. All rights reserved.


Azure networking services

Azure Virtual Network (VNet) enables Azure resources to


communicate with each other, the internet, and on-premises
networks.
• Public endpoints, accessible from anywhere on the internet.

• Private endpoints, accessible only from within your network.

• Virtual subnets segment your network to suit your needs.

• Network peering connects your private networks directly together.

© Copyright Microsoft Corporation. All rights reserved.


Walkthrough―configure network access

Configure public
access to the virtual
machine created
earlier.
1. Verify currently open
ports.
2. Create a network
security group
3. Configure HTTP access
(port 80)
4. Test the connection.

© Copyright Microsoft Corporation. All rights reserved.


Azure networking services: VPN
Gateway

VPN Gateway is used to send encrypted traffic between an Azure virtual network
and an
on-premises location over the public internet.

© Copyright Microsoft Corporation. All rights reserved.


Azure networking services:
ExpressRoute

ExpressRoute extends on-premises networks into Azure over a private connection


that is facilitated by a connectivity provider.

© Copyright Microsoft Corporation. All rights reserved.


Azure DNS

• Reliability and performance by leveraging a global network of DNS name servers


using Anycast networking.
• Azure DNS security is based on Azure resource manager, enabling role-based
access control and monitoring and logging.
• Ease of use for managing your Azure and external resources with a single DNS
service.
• Customizable virtual networks allow you to use private, fully customized domain
names in your private virtual networks.
• Alias records support alias record sets to point directly to an Azure resource.

© Copyright Microsoft Corporation. All rights reserved.


Storage

© Copyright Microsoft Corporation. All rights reserved.


Storage―objective domain

Describe the benefits and usage


• Compare Azure storage services.
• Describe storage tiers.
• Describe redundancy options.
• Describe storage account options and storage types.
• Identify options for moving files, including AzCopy, Azure Storage Explorer, and Azure File
Sync.
• Describe migration options, including Azure Migrate and Azure Data Box.

© Copyright Microsoft Corporation. All rights reserved.


Storage accounts

• Must have a
globally
unique name.
• Provide over-the-
internet access
worldwide.
• Determine storage
services and
redundancy options.

© Copyright Microsoft Corporation. All rights reserved.


Storage redundancy

Redundancy configuration Deployment Durability

Locally redundant storage (LRS) Single datacenter in the primary region 11 nines

Three availability zones in the primary


Zone-redundant storage (ZRS) 12 nines
region

Single datacenter in the primary and


Geo-redundant storage (GRS) 16 nines
secondary region
Three availability zones in the primary
Geo-zone-redundant-storage
region and a single datacenter in the 16 nines
(GZRS)
secondary region

© Copyright Microsoft Corporation. All rights reserved.


Azure storage services
Azure Blob: Optimized for storing massive amounts of unstructured data, such
as text or binary data.

Azure Disk: Provides disks for virtual machines, applications, and other
services to access and use.

Azure Queue: Message storage service that provides storage and retrieval for
large amounts of messages, each up to 64 KB.

Azure Files: Sets up a highly available network file share that can be accessed
by using the Server Message Block protocol.

Azure Tables: Provides a key/attribute option for structured nonrelational data


storage with a schema-less design.

© Copyright Microsoft Corporation. All rights reserved.


Storage service public endpoints

Storage service Public endpoint


Blob Storage https://<storage-account-name>.blob.core.windows.net

Data Lake Storage Gen2 https://<storage-account-name>.dfs.core.windows.net

Azure Files https://<storage-account-name>.file.core.windows.net

Queue Storage https://<storage-account-name>.queue.core.windows.net

Table Storage https://<storage-account-name>.table.core.windows.net

© Copyright Microsoft Corporation. All rights reserved.


Azure storage access tiers

Hot Cool Cold Archive


Optimized for storing Optimized for storing Optimized for storing Optimized for storing
data that is accessed data that is data that is data that is rarely
frequently. infrequently accessed infrequently accessed accessed and stored
and stored for at least and stored for at least for at least 180 days
30 days. 90 days. with flexible latency
requirements.

© Copyright Microsoft Corporation. All rights reserved.


Exercise―create a storage blob

Create a storage
account with a blob
storage container.
Work with blob files.
1. Create a storage account.
2. Create a blob container.
3. Upload and access a
blob.

© Copyright Microsoft Corporation. All rights reserved.


Azure Migrate

• Unified migration
platform.
• Range of integrated
and standalone tools.
• Assessment and
migration.

© Copyright Microsoft Corporation. All rights reserved.


Azure Data Box
• Store up to 80 terabytes

of data.
• Move your disaster
recovery backups to
Azure.
• Protect your data in a
rugged case during
transit.
• Migrate data out of
Azure for compliance or
regulatory needs.
• Migrate data to Azure
from remote locations
with limited or no
connectivity.
© Copyright Microsoft Corporation. All rights reserved.
File management options

AzCopy Azure Storage Explorer Azure File Sync


• Command-line utility. • Graphical user interface • Synchronizes Azure and on-
• Copy blobs or files to or (similar to Windows premises files in a
from your storage account. Explorer). bidirectional manner.
• One-direction • Compatible with Windows, • Cloud tiering keeps
synchronization. MacOS, and Linux. frequently accessed files
• Uses AzCopy to handle file local, while freeing up
operations. space.
• Rapid reprovisioning of
failed local server (install
and resync).

© Copyright Microsoft Corporation. All rights reserved.


Identity, access, and
security

© Copyright Microsoft Corporation. All rights reserved.


Identity, access, and security―objective domain

Describe the benefits and usage


• Describe directory services in Azure, including Microsoft Entra ID and Microsoft Entra
Domain Services.
• Describe authentication methods in Azure, including single sign-on (SSO), multifactor
authentication (MFA), and passwordless.
• Describe external identities and guest access in Azure.

• Describe Entra Conditional Access.

• Describe role-based access control (RBAC).

• Describe the concept of Zero Trust.

• Describe the purpose of the defense in depth model.

• Describe the purpose of Microsoft Defender for Cloud.

© Copyright Microsoft Corporation. All rights reserved.


Microsoft Entra ID

Microsoft Entra ID is
Microsoft Azure’s cloud-
based identity and
access management
service.
• Authentication
(employees sign in to
access resources).
• Single sign-on (SSO).
• Application
management.
• Business to
Business (B2B).
• Device management.

© Copyright Microsoft Corporation. All rights reserved.


Microsoft Entra Domain Services

• Gain the benefit of cloud-based domain services without managing domain controllers.
• Run legacy applications (that can’t use modern auth standards) in the cloud.
• Automatically sync from Microsoft Entra ID.

© Copyright Microsoft Corporation. All rights reserved.


Compare authentication and authorization

Authentication Authorization
• Identifies the person or service seeking • Determines an authenticated person’s or
access to a resource. service’s level of access.
• Requests legitimate access credentials. • Defines which data they can access, and
what they can do with it.
• Basis for creating secure identity and
access control principles.

© Copyright Microsoft Corporation. All rights reserved.


Multifactor authentication

Provides additional security for your identities by requiring two or more elements for
full authentication.
• Something you know  Something you possess  Something you are

© Copyright Microsoft Corporation. All rights reserved.


Microsoft Entra External ID B2B

© Copyright Microsoft Corporation. All rights reserved.


Azure AD External Identities B2C

© Copyright Microsoft Corporation. All rights reserved.


Conditional Access

Conditional Access is
used to bring signals
together, to make
decisions, and enforce
organizational policies.
• User or group
membership
• IP location
• Device
• Application
• Risk detection

© Copyright Microsoft Corporation. All rights reserved.


Role-based access control

• Fine-grained access
management.
• Segregate duties
within the team and Microsoft Entra ID
grant only the amount
of access to users
that they need to
perform their jobs.
Azure
subscription
• Enables access to the
User Apps User groups
Azure portal and Resource group
controlling access to
resources. Resource group

© Copyright Microsoft Corporation. All rights reserved.


Zero Trust

© Copyright Microsoft Corporation. All rights reserved.


Defense in depth

• A layered approach to
securing computer Physical security
systems.
Identity and access
• Provides multiple
Perimeter
levels of protection.
• Attacks against one Network
layer are isolated
from subsequent Compute
layers.
Application

Data

© Copyright Microsoft Corporation. All rights reserved.


Microsoft Defender for Cloud

Microsoft Defender for


Cloud is a monitoring
service that provides
threat protection across
both Azure and on-
premises datacenters.
• Provides security
recommendations.
• Detect and block
malware.
• Analyze and identify
potential attacks.
• Just-in-time access
control
for ports.
© Copyright Microsoft Corporation. All rights reserved.
Knowledge check

Populate with instructions to use the


polling tool of your choice

Learning path 2 Which one?


1. Use your smartphones or mobile devices.
A). Azure
2. Go to (insert polling app link of your Portal
choice). B).
PowerShell
3. Enter code: 123-45-678.
C). Local Tool
4. Please participate in the quiz for this section.

© Copyright Microsoft Corporation. All rights reserved.


Learning path 02 review

Microsoft Learn Modules


(learn.microsoft.com/training)
• Physical and management infrastructure of Microsoft
Azure
• Compute and networking services

• Storage services

• Identity, access, and security

© Copyright Microsoft Corporation. All rights reserved.

You might also like