AZ-900: Microsoft Azure Fundamentals

1. What is clod computing?

2. Shared responsibility model:

3. Cloud models

Public cloud Private cloud Hybrid cloud

No capital expenditures to Organizations have Provides the most
scale up complete control over flexibility
resources and security
Applications can be quickly Data is not collocated with Organizations determine
provisioned and other organizations’ data where to run their
deprovisioned applications
Organizations pay only for Hardware must be Organizations control
what they use purchased for startup and security, compliance, or
maintenance legal requirements
Organizations don’t have Organizations are
complete control over responsible for hardware
resources and security maintenance and updates

d. Multi-cloud: A fourth, and increasingly likely scenario is a multi-cloud scenario. In a multi-cloud scenario,
you use multiple public cloud providers. Maybe you use different features from different cloud providers. Or
maybe you started your cloud journey with one provider and are in the process of migrating to a different
provider. Regardless, in a multi-cloud environment you deal with two (or more) public cloud providers and
manage resources and security in both environments.

e. Azure Arc: Azure Arc is a set of technologies that helps manage your cloud environment. Azure Arc can
help manage your cloud environment, whether it's a public cloud solely on Azure, a private cloud in your
datacenter, a hybrid configuration, or even a multi-cloud environment running on multiple cloud providers at
once.

f. Azure VMware Solution

What if you’re already established with VMware in a private cloud environment but want to migrate to a
public or hybrid cloud? Azure VMware Solution lets you run your VMware workloads in Azure with seamless
integration and scalability.

4. consumption-based model
5. Describe the benefits of high availability and scalability in the cloud
a. High availability
b. Scalability
i. Horizontal
ii. Vertical
6. Describe the benefits of reliability and predictability in the cloud
a. Reliability
b. Predictability
7. Describe the benefits of security and governance in the cloud
a. Whether you’re deploying infrastructure as a service or software as a service, cloud features support
governance and compliance. Things like set templates help ensure that all your deployed resources meet
corporate standards and government regulatory requirements. Plus, you can update all your deployed
resources to new standards as standards change. Cloud-based auditing helps flag any resource that’s out of
compliance with your corporate standards and provides mitigation strategies. Depending on your operating
model, software patches and updates may also automatically be applied, which helps with both governance
and security.
b. On the security side, you can find a cloud solution that matches your security needs. If you want maximum
control of security, infrastructure as a service provides you with physical resources but lets you manage the
operating systems and installed software, including patches and maintenance. If you want patches and
maintenance taken care of automatically, platform as a service or software as a service deployments may be
the best cloud strategies for you.
c. And because the cloud is intended as an over-the-internet delivery of IT resources, cloud providers are
typically well suited to handle things like distributed denial of service (DDoS) attacks, making your network
more robust and secure.
8. Management of the cloud
a. Automatically scale resource deployment based on need.
b. Deploy resources based on a preconfigured template, removing the need for manual configuration.
c. Monitor the health of resources and automatically replace failing resources.
d. Receive automatic alerts based on configured metrics, so you’re aware of performance in real time.

9. Management in the cloud

a. Through a web portal.
b. Using a command line interface.
c. Using APIs.
d. Using PowerShell.

10. Describe Infrastructure as a Service

Infrastructure as a service (IaaS) is the most flexible category of cloud services, as it provides you the maximum amount of
control for your cloud resources. In an IaaS model, the cloud provider is responsible for maintaining the hardware,
network connectivity (to the internet), and physical security. You’re responsible for everything else: operating system
installation, configuration, and maintenance; network configuration; database and storage configuration; and so on. With
IaaS, you’re essentially renting the hardware in a cloud datacenter, but what you do with that hardware is up to you.

a. Lift-and-shift migration: You’re standing up cloud resources similar to your on-prem datacenter, and then
simply moving the things running on-prem to running on the IaaS infrastructure.
b. Testing and development: You have established configurations for development and test environments that
you need to rapidly replicate. You can stand up or shut down the different environments rapidly with an IaaS
structure, while maintaining complete control.
11. Describe Platform as a Service

In a PaaS environment, the cloud provider maintains the physical infrastructure, physical security, and connection to the
internet. They also maintain the operating systems, middleware, development tools, and business intelligence services
that make up a cloud solution. In a PaaS scenario, you don't have to worry about the licensing or patching for operating
systems and databases.

PaaS is well suited to provide a complete development environment without the headache of maintaining all the
development infrastructure.

a. Development framework: PaaS provides a framework that developers can build upon to develop or customize
cloud-based applications. Similar to the way you create an Excel macro, PaaS lets developers create
applications using built-in software components. Cloud features such as scalability, high-availability, and multi-
tenant capability are included, reducing the amount of coding that developers must do.
b. Analytics or business intelligence: Tools provided as a service with PaaS allow organizations to analyze and
mine their data, finding insights and patterns and predicting outcomes to improve forecasting, product design
decisions, investment returns, and other business decisions.
12. Describe Software as a Service

Software as a service (SaaS) is the most complete cloud service model from a product perspective. With SaaS, you’re
essentially renting or using a fully developed application. Email, financial software, messaging applications, and
connectivity software are all common examples of a SaaS implementation.

a. Email and messaging.

b. Business productivity applications.
c. Finance and expense tracking.

CORE ARCHITECTURE COMPONENTS OF AZURE

1. Azure Benefits
a. Be ready for the future: Continuous innovation from Microsoft supports your development today and
your product visions for tomorrow.
b. Build on your terms: You have choices. With a commitment to open source, and support for all languages
and frameworks, you can build how you want and deploy where you want.
 c. Operate hybrid seamlessly: On-premises, in the cloud, and at the edge, we'll meet you where you are.
Integrate and manage your environments with tools and services designed for a hybrid cloud solution.
d. Trust your cloud: Get security from the ground up, backed by a team of experts, and proactive compliance
trusted by enterprises, governments, and startups.

2. Sandbox:
a. Commands:
i. Get-date
1. To get the date in powershell (Powershell command prompt is signified by PS in the
starting of the line.) to switch to Powershell from bash use command: pwsh.
ii. az version
1. Most azure commands start with az. This command is used to get version of azure.
Output:
2. { "azure-cli": "2.56.0",
3. "azure-cli-core": "2.56.0",
4. "azure-cli-telemetry": "1.1.0",
5. "extensions": {
6. "ai-examples": "0.2.5",
7. "ml": "2.22.0",
8. "ssh": "2.0.2"
9. }
10. }

iii. Bash: (Bash is case sensitive)

1. Switch to bash shell in sandbox. In bash mode, command line starts with: yash [ ~ ]$
2. date: command to get date in bash
iv. Interactive mode switching command with auto completions: az interactive.
v. To exit from the interactive mode: exit
3. Physical architecture
a. Datacenters are grouped into Azure Regions or Azure Availability Zones that are designed to help you
achieve resiliency and reliability for your business-critical workloads.
b. Regions:
i. A region is a geographical area on the planet that contains at least one, but potentially multiple
datacenters that are nearby and networked together with a low-latency network. Azure
intelligently assigns and controls the resources within each region to ensure workloads are
appropriately balanced.
c. NOTE: Some services or virtual machine (VM) features are only available in certain regions, such as specific
VM sizes or storage types. There are also some global Azure services that don't require you to select a
particular region, such as Microsoft Entra ID, Azure Traffic Manager, and Azure DNS.
d. Availability Zones: Availability zones are physically separate datacenters within an Azure region. Each
availability zone is made up of one or more datacenters equipped with independent power, cooling, and
networking. An availability zone is set up to be an isolation boundary. If one zone goes down, the other
continues working. Availability zones are connected through high-speed, private fiber-optic networks.
 i. NOTE: To ensure resiliency, a minimum of three separate availability zones are present in all
availability zone-enabled regions. However, not all Azure Regions currently support availability
zones.
ii. Availability zones are primarily for VMs, managed disks, load balancers, and SQL databases. Azure
services that support availability zones fall into three categories:
1. Zonal services: You pin the resource to a specific zone (for example, VMs, managed disks,
IP addresses).
2. Zone-redundant services: The platform replicates automatically across zones (for
example, zone-redundant storage, SQL Database).
3. Non-regional services: Services are always available from Azure geographies and are
resilient to zone-wide outages as well as region-wide outages.
e. Region pairs: Most Azure regions are paired with another region within the same geography (such as US,
Europe, or Asia) at least 300 miles away. Helps reduce the likelihood of interruptions because of events
such as natural disasters, civil unrest, power outages, or physical network outages that affect an entire
region. For example, if a region in a pair was affected by a natural disaster, services would automatically
fail over to the other region in its region pair. Examples of region pairs in Azure are West US paired with
East US and South-East Asia paired with East Asia.
f. Additional advantages of region pairs:
i. If an extensive Azure outage occurs, one region out of every pair is prioritized to make sure at
least one is restored as quickly as possible for applications hosted in that region pair.
ii. Planned Azure updates are rolled out to paired regions one region at a time to minimize
downtime and risk of application outage.
iii. Data continues to reside within the same geography as its pair (except for Brazil South) for tax-
and law-enforcement jurisdiction purposes.

g. NOTE: Not all Azure services automatically replicate data or automatically fall back from a failed region to
cross-replicate to another enabled region. In these scenarios, recovery and replication must be
configured by the customer.
h. NOTE: Directional: Most regions are paired in two directions, meaning they are the backup for the region
that provides a backup for them (West US and East US back each other up). However, some regions, such
as West India and Brazil South, are paired in only one direction. In a one-direction pairing, the Primary
region does not provide backup for its secondary region. So, even though West India’s secondary region is
South India, South India does not rely on West India. West India's secondary region is South India, but
South India's secondary region is Central India. Brazil South is unique because it's paired with a region
outside of its geography. Brazil South's secondary region is South Central US. The secondary region of
South Central US isn't Brazil South.
i. Sovereign Regions: Sovereign regions are instances of Azure that are isolated from the main instance of
Azure. You may need to use a sovereign region for compliance or legal purposes. Examples:
i. US DoD Central, US Gov Virginia, US Gov Iowa and more: These regions are physical and logical
network-isolated instances of Azure for U.S. government agencies and partners. These
datacenters are operated by screened U.S. personnel and include additional compliance
certifications.
ii. China East, China North, and more: These regions are available through a unique partnership
between Microsoft and 21Vianet, whereby Microsoft doesn't directly maintain the datacenters.
4. Azure Management infrastructure
a. Azure resources and resource groups: A resource is the basic building block of Azure. Anything you create,
provision, deploy, etc. is a resource. Virtual Machines (VMs), virtual networks, databases, cognitive
services, etc. are all considered resources within Azure.
b. Important points for resource groups:
i. Single resource can only be part of a single resource group
ii. When you move a resource from one group to another, it will no longer be part of old resource
group, i.e. resource groups cannot be nested
c. Azure subscriptions: In Azure, subscriptions are a unit of management, billing, and scale. Like how
resource groups are a way to logically organize resources, subscriptions allow you to logically organize
your resource groups and facilitate billing. An Azure subscription links to an Azure account, which is an
identity in Microsoft Entra ID or in a directory that Microsoft Entra ID trusts. An account can have multiple
subscriptions, but it’s only required to have one. In a multi-subscription account, you can use the
subscriptions to configure different billing models and apply different access-management policies.
Types of subscription boundaries:
i. Billing boundary: This subscription type determines how an Azure account is billed for using
Azure. You can create multiple subscriptions for different types of billing requirements. Azure
generates separate billing reports and invoices for each subscription so that you can organize and
manage costs.
ii. Access control boundary: Azure applies access-management policies at the subscription level, and
you can create separate subscriptions to reflect different organizational structures. An example is
that within a business, you have different departments to which you apply distinct Azure
subscription policies. This billing model allows you to manage and control access to the resources
that users provision with specific subscriptions.
d. Purpose to create azure subsricptions:
i. Environments: You can choose to create subscriptions to set up separate environments for
development and testing, security, or to isolate data for compliance reasons. This design is
particularly useful because resource access control occurs at the subscription level.
ii. Organizational structures: You can create subscriptions to reflect different organizational
structures. For example, you could limit one team to lower-cost resources, while allowing the IT
department a full range. This design allows you to manage and control access to the resources
that users provision within each subscription.
iii. Billing: You can create additional subscriptions for billing purposes. Because costs are first
aggregated at the subscription level, you might want to create subscriptions to manage and track
costs based on your needs. For instance, you might want to create one subscription for your
production workloads and another subscription for your development and testing workloads.

e. Management groups: Azure management groups provide a level of scope above subscriptions. You
organize subscriptions into containers called management groups and apply governance conditions to the
management groups. All subscriptions within a management group automatically inherit the conditions
applied to the management group, the same way that resource groups inherit settings from subscriptions
and resources inherit from resource groups. Management groups give you enterprise-grade management
at a large scale, no matter what type of subscriptions you might have. Management groups can be nested.
i. Some examples of how you could use management groups might be:
 1. Create a hierarchy that applies a policy. You could limit VM locations to the US West
Region in a group called Production. This policy will inherit onto all the subscriptions that
are descendants of that management group and will apply to all VMs under those
subscriptions. This security policy can't be altered by the resource or subscription owner,
which allows for improved governance.
2. Provide user access to multiple subscriptions. By moving multiple subscriptions under a
management group, you can create one Azure role-based access control (Azure RBAC)
assignment on the management group. Assigning Azure RBAC at the management group
level means that all sub-management groups, subscriptions, resource groups, and
resources underneath that management group would also inherit those permissions. One
assignment on the management group can enable users to have access to everything they
need instead of scripting Azure RBAC over different subscriptions.
ii. Important facts about management groups:
1. 10,000 management groups can be supported in a single directory.
2. A management group tree can support up to six levels of depth. This limit doesn't include
the root level or the subscription level.
3. Each management group and subscription can support only one parent.

5. Azure virtual machines

a. VMs are an ideal choice when you need:
i. Total control over the operating system (OS).
ii. The ability to run custom software.
iii. To use custom hosting configurations.

b. Virtual machine scale sets: Scale sets allow you to centrally manage, configure, and update a large
number of VMs in minutes. The number of VM instances can automatically increase or decrease in
response to demand, or you can set it to scale based on a defined schedule. Virtual machine scale sets
also automatically deploy a load balancer to make sure that your resources are being used efficiently.
With virtual machine scale sets, you can build large-scale services for areas such as compute, big data, and
container workloads.
c. Virtual machine availability sets: Availability sets are designed to ensure that VMs stagger updates and
have varied power and network connectivity, preventing you from losing all your VMs with a single
network or power failure.
d. Types of domains for availability sets:
i. Update domain: The update domain groups VMs that can be rebooted at the same time. This
allows you to apply updates while knowing that only one update domain grouping will be offline at
a time. All of the machines in one update domain will be updated. An update group going through
the update process is given a 30-minute time to recover before maintenance on the next update
domain starts.
ii. Fault domain: The fault domain groups your VMs by common power source and network switch.
By default, an availability set will split your VMs across up to three fault domains. This helps
protect against a physical power or networking failure by having VMs in different fault domains
(thus being connected to different power and networking resources).
e. Examples of when to use VMs
 i. During testing and development. VMs provide a quick and easy way to create different OS and
application configurations. Test and development personnel can then easily delete the VMs when
they no longer need them.
ii. When running applications in the cloud. The ability to run certain applications in the public cloud
as opposed to creating a traditional infrastructure to run them can provide substantial economic
benefits. For example, an application might need to handle fluctuations in demand. Shutting down
VMs when you don't need them or quickly starting them up to meet a sudden increase in demand
means you pay only for the resources you use.
iii. When extending your datacenter to the cloud: An organization can extend the capabilities of its
own on-premises network by creating a virtual network in Azure and adding VMs to that virtual
network. Applications like SharePoint can then run on an Azure VM instead of running locally. This
arrangement makes it easier or less expensive to deploy than in an on-premises environment.
iv. During disaster recovery: As with running certain types of applications in the cloud and extending
an on-premises network to the cloud, you can get significant cost savings by using an IaaS-based
approach to disaster recovery. If a primary datacenter fails, you can create VMs running on Azure
to run your critical applications and then shut them down when the primary datacenter becomes
operational again.

f. VM Resources: When you provision a VM, you’ll also have the chance to pick the resources that are
associated with that VM, including:
i. Size (purpose, number of processor cores, and amount of RAM)
ii. Storage disks (hard disk drives, solid state drives, etc.)
iii. Networking (virtual network, public IP address, and port configuration)

6. Azure virtual desktop: Azure Virtual Desktop is a desktop and application virtualization service that runs on the
cloud. It enables you to use a cloud-hosted version of Windows from any location. Azure Virtual Desktop works
across devices and operating systems, and works with apps that you can use to access remote desktops or most
modern browsers.
a. Enhance security: Azure Virtual Desktop provides centralized security management for users' desktops
with Microsoft Entra ID. You can enable multifactor authentication to secure user sign-ins. You can also
secure access to data by assigning granular role-based access controls (RBACs) to users. With Azure Virtual
Desktop, the data and apps are separated from the local hardware. The actual desktop and apps are
running in the cloud, meaning the risk of confidential data being left on a personal device is reduced.
Additionally, user sessions are isolated in both single and multi-session environments.
7. Azure containers: If you want to run multiple instances of an application on a single host machine, containers are
an excellent choice.
a. Containers are a virtualization environment. Much like running multiple virtual machines on a single
physical host, you can run multiple containers on a single physical or virtual host. Unlike virtual machines,
you don't manage the operating system for a container. Virtual machines appear to be an instance of an
operating system that you can connect to and manage. Containers are lightweight and designed to be
created, scaled out, and stopped dynamically. It's possible to create and deploy virtual machines as
application demand increases, but containers are a lighter weight, more agile method. Containers are
designed to allow you to respond to changes on demand. With containers, you can quickly restart if
there's a crash or hardware interruption. One of the most popular container engines is Docker, and Azure
supports Docker.
 b. Azure Container Instances: Azure Container Instances offer the fastest and simplest way to run a container
in Azure; without having to manage any virtual machines or adopt any additional services. Azure Container
Instances are a platform as a service (PaaS) offering. Azure Container Instances allow you to upload your
containers and then the service will run the containers for you.
c. Azure Container Apps are similar in many ways to a container instance. They allow you to get up and
running right away, they remove the container management piece, and they're a PaaS offering. Container
Apps have extra benefits such as the ability to incorporate load balancing and scaling. These other
functions allow you to be more elastic in your design.
d. Azure Kubernetes Service (AKS) is a container orchestration service. An orchestration service manages the
lifecycle of containers. When you're deploying a fleet of containers, AKS can make fleet management
simpler and more efficient.
e. Use containers in your solutions : Containers are often used to create solutions by using a microservice
architecture. This architecture is where you break solutions into smaller, independent pieces. For example,
you might split a website into a container hosting your front end, another hosting your back end, and a
third for storage. This split allows you to separate portions of your app into logical sections that can be
maintained, scaled, or updated independently.Imagine your website back-end has reached capacity but
the front end and storage aren't being stressed. With containers, you could scale the back end separately
to improve performance. If something necessitated such a change, you could also choose to change the
storage service or modify the front end without impacting any of the other components.
8. Azure functions
a. Azure Functions is an event-driven, serverless compute option that doesn’t require maintaining virtual
machines or containers. If you build an app using VMs or containers, those resources have to be “running”
in order for your app to function. With Azure Functions, an event wakes the function, alleviating the need
to keep resources provisioned when there are no events.
b. Benefits of Azure Functions:
i. Using Azure Functions is ideal when you're only concerned about the code running your service
and not about the underlying platform or infrastructure. Functions are commonly used when you
need to perform work in response to an event (often via a REST request), timer, or message from
another Azure service, and when that work can be completed quickly, within seconds or less.
ii. Functions scale automatically based on demand, so they may be a good choice when demand is
variable.
iii. Azure Functions runs your code when it's triggered and automatically deallocates resources
when the function is finished. In this model, you're only charged for the CPU time used while your
function runs.
iv. Functions can be either stateless or stateful. When they're stateless (the default), they behave as
if they're restarted every time they respond to an event. When they're stateful (called Durable
Functions), a context is passed through the function to track prior activity.
v. Functions are a key component of serverless computing. They're also a general compute platform
for running any type of code. If the needs of the developer's app change, you can deploy the
project in an environment that isn't serverless. This flexibility allows you to manage scaling, run on
virtual networks, and even completely isolate the functions.

9. Application hosting options:

a. VMs give you maximum control of the hosting environment and allow you to configure it exactly how you
want. VMs also may be the most familiar hosting method if you’re new to the cloud. Containers, with the
 ability to isolate and individually manage different aspects of the hosting solution, can also be a robust and
compelling option.
b. Azure App Service: App Service enables you to build and host web apps, background jobs, mobile back-
ends, and RESTful APIs in the programming language of your choice without managing infrastructure. It
offers automatic scaling and high availability. App Service supports Windows and Linux. It enables
automated deployments from GitHub, Azure DevOps, or any Git repo to support a continuous deployment
model. Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile
back ends. It supports multiple languages, including .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python.
It also supports both Windows and Linux environments.
c. App Service handles most of the infrastructure decisions you deal with in hosting web-accessible apps:
i. Deployment and management are integrated into the platform.
ii. Endpoints can be secured.
iii. Sites can be scaled quickly to handle high traffic loads.
iv. The built-in load balancing and traffic manager provide high availability.

d. Types of app services:

i. Web apps: App Service includes full support for hosting web apps by using ASP.NET, ASP.NET Core,
Java, Ruby, Node.js, PHP, or Python. You can choose either Windows or Linux as the host
operating system.
ii. API apps: Much like hosting a website, you can build REST-based web APIs by using your choice of
language and framework. You get full Swagger support and the ability to package and publish your
API in Azure Marketplace. The produced apps can be consumed from any HTTP- or HTTPS-based
client.
iii. WebJobs: You can use the WebJobs feature to run a program (.exe, Java, PHP, Python, or Node.js)
or script (.cmd, .bat, PowerShell, or Bash) in the same context as a web app, API app, or mobile
app. They can be scheduled or run by a trigger. WebJobs are often used to run background tasks
as part of your application logic.
iv. Mobile apps: Use the Mobile Apps feature of App Service to quickly build a back end for iOS and
Android apps. With just a few actions in the Azure portal, you can:
1. Store mobile app data in a cloud-based SQL database.
2. Authenticate customers against common social providers, such as MSA, Google, Twitter,
and Facebook.
3. Send push notifications.
4. Execute custom back-end logic in C# or Node.js.
v. On the mobile app side, there's SDK support for native iOS and Android, Xamarin, and React native
apps.

10. Azure virtual networking:

a. Azure virtual networks and virtual subnets enable Azure resources, such as VMs, web apps, and databases,
to communicate with each other, with users on the internet, and with your on-premises client computers.
You can think of an Azure network as an extension of your on-premises network with resources that link
other Azure resources.
i. Azure virtual networks provide the following key networking capabilities:
1. Isolation and segmentation
2. Internet communications
 3. Communicate between Azure resources
4. Communicate with on-premises resources
5. Route network traffic
6. Filter network traffic
7. Connect virtual networks
ii. Azure virtual networking supports both public and private endpoints to enable communication
between external or internal resources with other internal resources. Public endpoints have a
public IP address and can be accessed from anywhere in the world. Private endpoints exist within
a virtual network and have a private IP address from within the address space of that virtual
network.
b. Isolation and segmentation:

i. Azure virtual network allows you to create multiple isolated virtual networks. When you set up a
virtual network, you define a private IP address space by using either public or private IP address
ranges. The IP range only exists within the virtual network and isn't internet routable. You can
divide that IP address space into subnets and allocate part of the defined address space to each
named subnet.
ii. For name resolution, you can use the name resolution service that's built into Azure. You also can
configure the virtual network to use either an internal or an external DNS server.
c. Internet communications:
i. You can enable incoming connections from the internet by assigning a public IP address to an
Azure resource, or putting the resource behind a public load balancer.
d. Communicate between Azure resources:
i. Virtual networks can connect not only VMs but other Azure resources, such as the App Service
Environment for Power Apps, Azure Kubernetes Service, and Azure virtual machine scale sets.
ii. Service endpoints can connect to other Azure resource types, such as Azure SQL databases and
storage accounts. This approach enables you to link multiple Azure resources to virtual networks
to improve security and provide optimal routing between resources.
e. Communicate with on-premises resources: Azure virtual networks enable you to link resources together in
your on-premises environment and within your Azure subscription. In effect, you can create a network
that spans both your local and cloud environments.
i. Point-to-site virtual private network connections are from a computer outside your organization
back into your corporate network. In this case, the client computer initiates an encrypted VPN
connection to connect to the Azure virtual network.
ii. Site-to-site virtual private networks link your on-premises VPN device or gateway to the Azure
VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local
network. The connection is encrypted and works over the internet.
iii. Azure ExpressRoute provides a dedicated private connectivity to Azure that doesn't travel over
the internet. ExpressRoute is useful for environments where you need greater bandwidth and
even higher levels of security.

f. Route network traffic: By default, Azure routes traffic between subnets on any connected virtual
networks, on-premises networks, and the internet. You also can control routing and override those
settings, as follows:
 i. Route tables allow you to define rules about how traffic should be directed. You can create
custom route tables that control how packets are routed between subnets.
ii. Border Gateway Protocol (BGP) works with Azure VPN gateways, Azure Route Server, or Azure
ExpressRoute to propagate on-premises BGP routes to Azure virtual networks.

g. Filter network traffic: Azure virtual networks enable you to filter traffic between subnets by using the
following approaches:
i. Network security groups are Azure resources that can contain multiple inbound and outbound
security rules. You can define these rules to allow or block traffic, based on factors such as source
and destination IP address, port, and protocol.
ii. Network virtual appliances are specialized VMs that can be compared to a hardened network
appliance. A network virtual appliance carries out a particular network function, such as running a
firewall or performing wide area network (WAN) optimization.

h. Connect virtual networks:

i. You can link virtual networks together by using virtual network peering. Peering allows two
virtual networks to connect directly to each other. Network traffic between peered networks is
private, and travels on the Microsoft backbone network, never entering the public internet.
Peering enables resources in each virtual network to communicate with each other. These virtual
networks can be in separate regions, which allows you to create a global interconnected network
through Azure.
ii. User-defined routes (UDR) allow you to control the routing tables between subnets within a
virtual network or between virtual networks. This allows for greater control over network traffic
flow.
11. Azure virtual private networks: A virtual private network (VPN) uses an encrypted tunnel within another network.
VPNs are typically deployed to connect two or more trusted private networks to one another over an untrusted
network (typically the public internet). Traffic is encrypted while traveling over the untrusted network to prevent
eavesdropping or other attacks. VPNs can enable networks to safely and securely share sensitive information.
a. VPN gateways: A VPN gateway is a type of virtual network gateway.
i. Azure VPN Gateway instances are deployed in a dedicated subnet of the virtual network and
enable the following connectivity:
1. Connect on-premises datacenters to virtual networks through a site-to-site connection.
2. Connect individual devices to virtual networks through a point-to-site connection.
3. Connect virtual networks to other virtual networks through a network-to-network
connection.

ii. All data transfer is encrypted inside a private tunnel as it crosses the internet. You can deploy only
one VPN gateway in each virtual network. However, you can use one gateway to connect to
multiple locations, which includes other virtual networks or on-premises datacenters.
iii. When setting up a VPN gateway, you must specify the type of VPN - either policy-based or route-
based. The primary distinction between these two types is how they determine which traffic
needs encryption. In Azure, regardless of the VPN type, the method of authentication employed is
a pre-shared key.
1. Policy-based VPN gateways specify statically the IP address of packets that should be
encrypted through each tunnel. This type of device evaluates every data packet against
 those sets of IP addresses to choose the tunnel where that packet is going to be sent
through.
2. In Route-based gateways, IPSec tunnels are modeled as a network interface or virtual
tunnel interface. IP routing (either static routes or dynamic routing protocols) decides
which one of these tunnel interfaces to use when sending each packet. Route-based
VPNs are the preferred connection method for on-premises devices. They're more
resilient to topology changes such as the creation of new subnets. Use a route-based VPN
gateway if you need any of the following types of connectivity:
a. Connections between virtual networks
b. Point-to-site connections
c. Multisite connections
d. Coexistence with an Azure ExpressRoute gateway

b. High-availability scenarios: There are a few ways to maximize the resiliency of your VPN gateway.
i. Active/standby: By default, VPN gateways are deployed as two instances in an active/standby
configuration, even if you only see one VPN gateway resource in Azure. When planned
maintenance or unplanned disruption affects the active instance, the standby instance
automatically assumes responsibility for connections without any user intervention. Connections
are interrupted during this failover, but they're typically restored within a few seconds for
planned maintenance and within 90 seconds for unplanned disruptions.

ii. Active/active: With the introduction of support for the BGP routing protocol, you can also deploy
VPN gateways in an active/active configuration. In this configuration, you assign a unique public IP
address to each instance. You then create separate tunnels from the on-premises device to each
IP address. You can extend the high availability by deploying an additional VPN device on-
premises.
iii. ExpressRoute failover: Another high-availability option is to configure a VPN gateway as a secure
failover path for ExpressRoute connections. ExpressRoute circuits have resiliency built in.
However, they aren't immune to physical problems that affect the cables delivering connectivity
or outages that affect the complete ExpressRoute location. In high-availability scenarios, where
there's risk associated with an outage of an ExpressRoute circuit, you can also provision a VPN
gateway that uses the internet as an alternative method of connectivity. In this way, you can
ensure there's always a connection to the virtual networks.
iv. Zone-redundant gateways: In regions that support availability zones, VPN gateways and
ExpressRoute gateways can be deployed in a zone-redundant configuration. This configuration
brings resiliency, scalability, and higher availability to virtual network gateways. Deploying
gateways in Azure availability zones physically and logically separates gateways within a region
while protecting your on-premises network connectivity to Azure from zone-level failures. These
gateways require different gateway stock keeping units (SKUs) and use Standard public IP
addresses instead of Basic public IP addresses.
12. Azure ExpressRoute
a. Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private
connection, with the help of a connectivity provider. This connection is called an ExpressRoute Circuit.
With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure
 and Microsoft 365. This allows you to connect offices, datacenters, or other facilities to the Microsoft
cloud. Each location would have its own ExpressRoute circuit.
b. Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual
cross-connection through a connectivity provider at a colocation facility. ExpressRoute connections don't
go over the public Internet.
c. Features and benefits of ExpressRoute:
i. Connectivity to Microsoft cloud services: ExpressRoute enables direct access to the following
services in all regions:
1. Microsoft Office 365
2. Microsoft Dynamics 365
3. Azure compute services, such as Azure Virtual Machines
4. Azure cloud services, such as Azure Cosmos DB and Azure Storage

ii. Global connectivity: You can enable ExpressRoute Global Reach to exchange data across your on-
premises sites by connecting your ExpressRoute circuits. For example, say you had an office in Asia
and a datacenter in Europe, both with ExpressRoute circuits connecting them to the Microsoft
network. You could use ExpressRoute Global Reach to connect those two facilities, allowing them
to communicate without transferring data over the public internet.
iii. Dynamic routing: ExpressRoute uses the BGP. BGP is used to exchange routes between on-
premises networks and resources running in Azure. This protocol enables dynamic routing
between your on-premises network and services running in the Microsoft cloud.
iv. Built-in redundancy: Each connectivity provider uses redundant devices to ensure that
connections established with Microsoft are highly available. You can configure multiple circuits to
complement this feature.
d. ExpressRoute connectivity models:
i. Co-location at a cloud exchange: Co-location refers to your datacenter, office, or other facility
being physically co-located at a cloud exchange, such as an ISP. If your facility is co-located at a
cloud exchange, you can request a virtual cross-connect to the Microsoft cloud.
ii. Point-to-point Ethernet connection: Point-to-point ethernet connection refers to using a point-to-
point connection to connect your facility to the Microsoft cloud.
iii. Any-to-any networks: With any-to-any connectivity, you can integrate your wide area network
(WAN) with Azure by providing connections to your offices and datacenters. Azure integrates with
your WAN connection to provide a connection like you would have between your datacenter and
any branch offices.
iv. Directly from ExpressRoute sites: You can connect directly into the Microsoft's global network at a
peering location strategically distributed across the world. ExpressRoute Direct provides dual 100
Gbps or 10-Gbps connectivity, which supports Active/Active connectivity at scale.
e. Security considerations: With ExpressRoute, your data doesn't travel over the public internet, so it's not
exposed to the potential risks associated with internet communications. ExpressRoute is a private
connection from your on-premises infrastructure to your Azure infrastructure. Even if you have an
ExpressRoute connection, DNS queries, certificate revocation list checking, and Azure Content Delivery
Network requests are still sent over the public internet.
13. Azure DNS: Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft
Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records using the same
credentials, APIs, tools, and billing as your other Azure services.
 a. Benefits of Azure DNS:
i. Reliability and performance: DNS domains in Azure DNS are hosted on Azure's global network of
DNS name servers, providing resiliency and high availability. Azure DNS uses anycast networking,
so each DNS query is answered by the closest available DNS server to provide fast performance
and high availability for your domain.
ii. Security: Azure DNS is based on Azure Resource Manager, which provides features such as:
1. Azure role-based access control (Azure RBAC) to control who has access to specific actions
for your organization.
2. Activity logs to monitor how a user in your organization modified a resource or to find an
error when troubleshooting.
3. Resource locking to lock a subscription, resource group, or resource. Locking prevents
other users in your organization from accidentally deleting or modifying critical resources.

iii. Ease of use: Azure DNS can manage DNS records for your Azure services and provide DNS for your
external resources as well. Azure DNS is integrated in the Azure portal and uses the same
credentials, support contract, and billing as your other Azure services. Because Azure DNS is
running on Azure, it means you can manage your domains and records with the Azure portal,
Azure PowerShell cmdlets, and the cross-platform Azure CLI. Applications that require automated
DNS management can integrate with the service by using the REST API and SDKs.
iv. Customizable virtual networks with private domains: Azure DNS also supports private DNS
domains. This feature allows you to use your own custom domain names in your private virtual
networks, rather than being stuck with the Azure-provided names.
v. Alias records: Azure DNS also supports alias record sets. You can use an alias record set to refer to
an Azure resource, such as an Azure public IP address, an Azure Traffic Manager profile, or an
Azure Content Delivery Network (CDN) endpoint. If the IP address of the underlying resource
changes, the alias record set seamlessly updates itself during DNS resolution. The alias record set
points to the service instance, and the service instance is associated with an IP address.
b. NOTE: You can't use Azure DNS to buy a domain name. For an annual fee, you can buy a domain name by
using App Service domains or a third-party domain name registrar. Once purchased, your domains can be
hosted in Azure DNS for record management.
14. Azure storage accounts: A storage account provides a unique namespace for your Azure Storage data that's
accessible from anywhere in the world over HTTP or HTTPS.
a. When you create your storage account, you’ll start by picking the storage account type. The type of
account determines the storage services and redundancy options and has an impact on the use cases.
Below is a list of redundancy options that will be covered later in this module:
i. Locally redundant storage (LRS)
ii. Geo-redundant storage (GRS)
iii. Read-access geo-redundant storage (RA-GRS)
iv. Zone-redundant storage (ZRS)
v. Geo-zone-redundant storage (GZRS)
vi. Read-access geo-zone-redundant storage (RA-GZRS)
 b. Storage account endpoints
i. One of the benefits of using an Azure Storage Account is having a unique namespace in Azure for
your data. In order to do this, every storage account in Azure must have a unique-in-Azure
account name. The combination of the account name and the Azure Storage service endpoint
forms the endpoints for your storage account. When naming your storage account, keep these
rules in mind:
1. Storage account names must be between 3 and 24 characters in length and may contain
numbers and lowercase letters only.
2. Your storage account name must be unique within Azure. No two storage accounts can
have the same name. This supports the ability to have a unique, accessible namespace in
Azure.
ii. The following table shows the endpoint format for Azure Storage services.

15. Azure storage redundancy: Azure Storage always stores multiple copies of your data so that it's protected from
planned and unplanned events such as transient hardware failures, network or power outages, and natural
disasters.
a. The factors that help determine which redundancy option you should choose include:
i. How your data is replicated in the primary region.
ii. Whether your data is replicated to a second region that is geographically distant to the primary
region, to protect against regional disasters.
iii. Whether your application requires read access to the replicated data in the secondary region if the
primary region becomes unavailable.

b. Redundancy in the primary region: Data in an Azure Storage account is always replicated three times in
the primary region.
i. Locally redundant storage:
1. Locally redundant storage (LRS) replicates your data three times within a single data
center in the primary region. LRS provides at least 11 nines of durability (99.999999999%)
of objects over a given year.

2.
3. LRS is the lowest-cost redundancy option and offers the least durability compared to other
options. LRS protects your data against server rack and drive failures. However, if a
disaster such as fire or flooding occurs within the data center, all replicas of a storage
account using LRS may be lost or unrecoverable. To mitigate this risk, Microsoft
recommends using zone-redundant storage (ZRS), geo-redundant storage (GRS), or geo-
zone-redundant storage (GZRS).
ii. Zone-redundant storage:
1. For Availability Zone-enabled Regions, zone-redundant storage (ZRS) replicates your Azure
Storage data synchronously across three Azure availability zones in the primary region.
ZRS offers durability for Azure Storage data objects of at least 12 nines (99.9999999999%)
over a given year.
2. With ZRS, your data is still accessible for both read and write operations even if a zone
becomes unavailable. No remounting of Azure file shares from the connected clients is
required. If a zone becomes unavailable, Azure undertakes networking updates, such as
DNS repointing. These updates may affect your application if you access data before the
updates have completed.
 3. Microsoft recommends using ZRS in the primary region for scenarios that require high
availability. ZRS is also recommended for restricting replication of data within a country or
region to meet data governance requirements.
c. Redundancy in a secondary region: When you create a storage account, you select the primary region for
the account. The paired secondary region is based on Azure Region Pairs, and can't be changed. GRS is
similar to running LRS in two regions, and GZRS is similar to running ZRS in the primary region and LRS in
the secondary region. By default, data in the secondary region isn't available for read or write access
unless there's a failover to the secondary region. If the primary region becomes unavailable, you can
choose to fail over to the secondary region. After the failover has completed, the secondary region
becomes the primary region, and you can again read and write data.

NOTE : Because data is replicated to the secondary region asynchronously, a failure that affects the primary region may
result in data loss if the primary region can't be recovered. The interval between the most recent writes to the primary
region and the last write to the secondary region is known as the recovery point objective (RPO). The RPO indicates the
point in time to which data can be recovered. Azure Storage typically has an RPO of less than 15 minutes, although there's
currently no SLA on how long it takes to replicate data to the secondary region.

i. Geo-redundant storage: GRS copies your data synchronously three times within a single physical
location in the primary region using LRS. It then copies your data asynchronously to a single
physical location in the secondary region (the region pair) using LRS. GRS offers durability for
Azure Storage data objects of at least 16 nines (99.99999999999999%) over a given year.

ii. Geo-zone-redundant storage: GZRS combines the high availability provided by redundancy across
availability zones with protection from regional outages provided by geo-replication. Data in a
GZRS storage account is copied across three Azure availability zones in the primary region (similar
to ZRS) and is also replicated to a secondary geographic region, using LRS, for protection from
regional disasters. Microsoft recommends using GZRS for applications requiring maximum
consistency, durability, and availability, excellent performance, and resilience for disaster
recovery. GZRS is designed to provide at least 16 nines (99.99999999999999%) of durability of
objects over a given year.
 d. Read access to data in the secondary region: Geo-redundant storage (with GRS or GZRS) replicates your
data to another physical location in the secondary region to protect against regional outages. However,
that data is available to be read only if the customer or Microsoft initiates a failover from the primary to
secondary region. However, if you enable read access to the secondary region, your data is always
available, even when the primary region is running optimally. For read access to the secondary region,
enable read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-
GZRS). Remember that the data in your secondary region may not be up-to-date due to RPO (Recovery
point objective).
16. Azure storage services:
a. The Azure Storage platform includes the following data services:
i. Azure Blobs: A massively scalable object store for text and binary data. Also includes support for
big data analytics through Data Lake Storage Gen2.
ii. Azure Files: Managed file shares for cloud or on-premises deployments.
iii. Azure Queues: A messaging store for reliable messaging between application components.
iv. Azure Disks: Block-level storage volumes for Azure VMs.
v. Azure Tables: NoSQL table option for structured, non-relational data.

b. Benefits of Azure Storage:

i. Durable and highly available. Redundancy ensures that your data is safe if transient hardware
failures occur. You can also opt to replicate data across data centers or geographical regions for
additional protection from local catastrophes or natural disasters. Data replicated in this way
remains highly available if an unexpected outage occurs.
ii. Secure. All data written to an Azure storage account is encrypted by the service. Azure Storage
provides you with fine-grained control over who has access to your data.
iii. Scalable. Azure Storage is designed to be massively scalable to meet the data storage and
performance needs of today's applications.
iv. Managed. Azure handles hardware maintenance, updates, and critical issues for you.
 v. Accessible. Data in Azure Storage is accessible from anywhere in the world over HTTP or HTTPS.
Microsoft provides client libraries for Azure Storage in a variety of languages, including .NET, Java,
Node.js, Python, PHP, Ruby, Go, and others, as well as a mature REST API. Azure Storage supports
scripting in Azure PowerShell or Azure CLI. And the Azure portal and Azure Storage Explorer offer
easy visual solutions for working with your data.

c. Azure Blobs: Azure Blob storage is an object storage solution for the cloud. It can store massive amounts
of data, such as text or binary data. Azure Blob storage is unstructured, meaning that there are no
restrictions on the kinds of data it can hold. Blob storage can manage thousands of simultaneous
uploads, massive amounts of video data, constantly growing log files, and can be reached from
anywhere with an internet connection. Blobs aren't limited to common file formats. A blob could contain
gigabytes of binary data streamed from a scientific instrument, an encrypted message for another
application, or data in a custom format for an app you're developing. One advantage of blob storage over
disk storage is that it doesn't require developers to think about or manage disks. Data is uploaded as
blobs, and Azure takes care of the physical storage needs.
i. Blob storage is ideal for:
1. Serving images or documents directly to a browser.
2. Storing files for distributed access.
3. Streaming video and audio.
4. Storing data for backup and restore, disaster recovery, and archiving.
5. Storing data for analysis by an on-premises or Azure-hosted service.

ii. Accessing blob storage: Objects in blob storage can be accessed from anywhere in the world via
HTTP or HTTPS. Users or client applications can access blobs via URLs, the Azure Storage REST API,
Azure PowerShell, Azure CLI, or an Azure Storage client library. The storage client libraries are
available for multiple languages, including .NET, Java, Node.js, Python, PHP, and Ruby
iii. Blob storage tiers: The available access tiers include:
1. Hot access tier: Optimized for storing data that is accessed frequently (for example,
images for your website).
2. Cool access tier: Optimized for data that is infrequently accessed and stored for at least 30
days (for example, invoices for your customers).
3. Cold access tier: Optimized for storing data that is infrequently accessed and stored for at
least 90 days.
4. Archive access tier: Appropriate for data that is rarely accessed and stored for at least 180
days, with flexible latency requirements (for example, long-term backups).
iv. The following considerations apply to the different access tiers:

1. Hot and cool access tiers can be set at the account level. The cold and archive access tiers
aren't available at the account level.
2. Hot, cool, cold, and archive tiers can be set at the blob level, during or after upload.
3. Data in the cool and cold access tiers can tolerate slightly lower availability, but still
requires high durability, retrieval latency, and throughput characteristics similar to hot
data. For cool and cold data, a lower availability service-level agreement (SLA) and higher
access costs compared to hot data are acceptable trade-offs for lower storage costs.
4. Archive storage stores data offline and offers the lowest storage costs, but also the highest
costs to rehydrate and access data.
 d. Azure Files: Azure File storage offers fully managed file shares in the cloud that are accessible via the
industry standard Server Message Block (SMB) or Network File System (NFS) protocols. SMB Azure file
shares are accessible from Windows, Linux, and macOS clients. NFS Azure Files shares are accessible from
Linux or macOS clients. Additionally, SMB Azure file shares can be cached on Windows Servers with Azure
File Sync for fast access near where the data is being used.
i. Azure Files key benefits:
1. Shared access: Azure file shares support the industry standard SMB and NFS protocols,
meaning you can seamlessly replace your on-premises file shares with Azure file shares
without worrying about application compatibility.
2. Fully managed: Azure file shares can be created without the need to manage hardware or
an OS. This means you don't have to deal with patching the server OS with critical security
upgrades or replacing faulty hard disks.
3. Scripting and tooling: PowerShell cmdlets and Azure CLI can be used to create, mount, and
manage Azure file shares as part of the administration of Azure applications. You can
create and manage Azure file shares using Azure portal and Azure Storage Explorer.
4. Resiliency: Azure Files has been built from the ground up to always be available. Replacing
on-premises file shares with Azure Files means you don't have to wake up in the middle of
the night to deal with local power outages or network issues.
5. Familiar programmability: Applications running in Azure can access data in the share via
file system I/O APIs. Developers can therefore use their existing code and skills to migrate
existing applications. In addition to System IO APIs, you can use Azure Storage Client
Libraries or the Azure Storage REST API.

e. Azure Queues: Azure Queue storage is a service for storing large numbers of messages. Once stored, you
can access the messages from anywhere in the world via authenticated calls using HTTP or HTTPS. A queue
can contain as many messages as your storage account has room for (potentially millions). Each individual
message can be up to 64 KB in size. Queues are commonly used to create a backlog of work to process
asynchronously. Queue storage can be combined with compute functions like Azure Functions to take an
action when a message is received. For example, you want to perform an action after a customer uploads
a form to your website. You could have the submit button on the website trigger a message to the Queue
storage. Then, you could use Azure Functions to trigger an action once the message was received.
f. Azure Disks: Azure Disk storage, or Azure managed disks, are block-level storage volumes managed by
Azure for use with Azure VMs.
g. Azure Tables: Azure Table storage stores large amounts of structured data. Azure tables are a NoSQL
datastore that accepts authenticated calls from inside and outside the Azure cloud. This enables you to
use Azure tables to build your hybrid or multi-cloud solution and have your data always available. Azure
tables are ideal for storing structured, non-relational data.
17. Identify Azure data migration options: Azure supports both real-time migration of infrastructure, applications, and
data using Azure Migrate as well as asynchronous migration of data using Azure Data Box.
a. Azure Migrate: Azure Migrate is a service that helps you migrate from an on-premises environment to the
cloud. Azure Migrate functions as a hub to help you manage the assessment and migration of your on-
premises datacenter to Azure. It provides the following:
i. Unified migration platform: A single portal to start, run, and track your migration to Azure.
ii. Range of tools: A range of tools for assessment and migration. Azure Migrate tools include Azure
Migrate: Discovery and assessment and Azure Migrate: Server Migration. Azure Migrate also
 integrates with other Azure services and tools, and with independent software vendor (ISV)
offerings.
iii. Assessment and migration: In the Azure Migrate hub, you can assess and migrate your on-
premises infrastructure to Azure.

b. Integrated tools: In addition to working with tools from ISVs, the Azure Migrate hub also includes the
following tools to help with migration:
i. Azure Migrate: Discovery and assessment. Discover and assess on-premises servers running on
VMware, Hyper-V, and physical servers in preparation for migration to Azure.
ii. Azure Migrate: Server Migration. Migrate VMware VMs, Hyper-V VMs, physical servers, other
virtualized servers, and public cloud VMs to Azure.
iii. Data Migration Assistant. Data Migration Assistant is a stand-alone tool to assess SQL Servers. It
helps pinpoint potential problems blocking migration. It identifies unsupported features, new
features that can benefit you after migration, and the right path for database migration.
iv. Azure Database Migration Service. Migrate on-premises databases to Azure VMs running SQL
Server, Azure SQL Database, or SQL Managed Instances.
v. Azure App Service migration assistant. Azure App Service migration assistant is a standalone tool
to assess on-premises websites for migration to Azure App Service. Use Migration Assistant to
migrate .NET and PHP web apps to Azure.
vi. Azure Data Box. Use Azure Data Box products to move large amounts of offline data to Azure.

c. Azure Data Box:

i. Azure Data Box is a physical migration service that helps transfer large amounts of data in a quick,
inexpensive, and reliable way. The secure data transfer is accelerated by shipping you a
proprietary Data Box storage device that has a maximum usable storage capacity of 80 terabytes.
The Data Box is transported to and from your datacenter via a regional carrier. A rugged case
protects and secures the Data Box from damage during transit.
ii. You can order the Data Box device via the Azure portal to import or export data from Azure. Once
the device is received, you can quickly set it up using the local web UI and connect it to your
network. Once you’re finished transferring the data (either into or out of Azure), simply return the
Data Box. If you’re transferring data into Azure, the data is automatically uploaded once Microsoft
receives the Data Box back. The entire process is tracked end-to-end by the Data Box service in the
Azure portal.
iii. Use cases:Data Box is ideally suited to transfer data sizes larger than 40 TBs in scenarios with no to
limited network connectivity. The data movement can be one-time, periodic, or an initial bulk data
transfer followed by periodic transfers.
1. Here are the various scenarios where Data Box can be used to import data to Azure.
a. Onetime migration - when a large amount of on-premises data is moved to Azure.
b. Moving a media library from offline tapes into Azure to create an online media
library.
c. Migrating your VM farm, SQL server, and applications to Azure.
d. Moving historical data to Azure for in-depth analysis and reporting using
HDInsight.
e. Initial bulk transfer - when an initial bulk transfer is done using Data Box (seed)
followed by incremental transfers over the network.
 f. Periodic uploads - when large amount of data is generated periodically and needs
to be moved to Azure.

2. Here are the various scenarios where Data Box can be used to export data from Azure.:
a. Disaster recovery - when a copy of the data from Azure is restored to an on-
premises network. In a typical disaster recovery scenario, a large amount of Azure
data is exported to a Data Box. Microsoft then ships this Data Box, and the data is
restored on your premises in a short time.
b. Security requirements - when you need to be able to export data out of Azure due
to government or security requirements.
c. Migrate back to on-premises or to another cloud service provider - when you
want to move all the data back to on-premises, or to another cloud service
provider, export data via Data Box to migrate the workloads.

3. Once the data from your import order is uploaded to Azure, the disks on the device are
wiped clean in accordance with NIST 800-88r1 standards. For an export order, the disks
are erased once the device reaches the Azure datacenter.
18. Azure file movement options: In addition to large scale migration using services like Azure Migrate and Azure Data
Box, Azure also has tools designed to help you move or interact with individual files or small file groups.
a. AzCopy:
i. AzCopy is a command-line utility that you can use to copy blobs or files to or from your storage
account. With AzCopy, you can upload files, download files, copy files between storage accounts,
and even synchronize files. AzCopy can even be configured to work with other cloud providers to
help move files back and forth between clouds.
ii. Synchronizing blobs or files with AzCopy is one-direction synchronization. When you synchronize,
you designated the source and destination, and AzCopy will copy files or blobs in that direction. It
doesn't synchronize bi-directionally based on timestamps or other metadata.
b. Azure Storage Explorer: Azure Storage Explorer is a standalone app that provides a graphical interface to
manage files and blobs in your Azure Storage Account. It works on Windows, macOS, and Linux operating
systems and uses AzCopy on the backend to perform all of the file and blob management tasks. With
Storage Explorer, you can upload to Azure, download from Azure, or move between storage accounts.
c. Azure File Sync: Azure File Sync is a tool that lets you centralize your file shares in Azure Files and keep the
flexibility, performance, and compatibility of a Windows file server. It’s almost like turning your Windows
file server into a miniature content delivery network. Once you install Azure File Sync on your local
Windows server, it will automatically stay bi-directionally synced with your files in Azure. With Azure File
Sync, you can:
i. Use any protocol that's available on Windows Server to access your data locally, including SMB,
NFS, and FTPS.
ii. Have as many caches as you need across the world.
iii. Replace a failed local server by installing Azure File Sync on a new server in the same datacenter.
iv. Configure cloud tiering so the most frequently accessed files are replicated locally, while
infrequently accessed files are kept in the cloud until requested.

19. Azure directory services: Microsoft Entra ID is a directory service that enables you to sign in and access both
Microsoft cloud applications and cloud applications that you develop. Microsoft Entra ID can also help you
maintain your on-premises Active Directory deployment. For on-premises environments, Active Directory running
on Windows Server provides an identity and access management service that's managed by your organization.
Microsoft Entra ID is Microsoft's cloud-based identity and access management service. With Microsoft Entra ID,
you control the identity accounts, but Microsoft ensures that the service is available globally. When you secure
identities on-premises with Active Directory, Microsoft doesn't monitor sign-in attempts. When you connect
Active Directory with Microsoft Entra ID, Microsoft can help protect you by detecting suspicious sign-in attempts
at no extra cost. For example, Microsoft Entra ID can detect sign-in attempts from unexpected locations or
unknown devices.
a. Who uses Microsoft Entra ID?
i. IT administrators. Administrators can use Microsoft Entra ID to control access to applications and
resources based on their business requirements.
ii. App developers. Developers can use Microsoft Entra ID to provide a standards-based approach for
adding functionality to applications that they build, such as adding SSO functionality to an app or
enabling an app to work with a user's existing credentials.
iii. Users. Users can manage their identities and take maintenance actions like self-service password
reset.
iv. Online service subscribers. Microsoft 365, Microsoft Office 365, Azure, and Microsoft Dynamics
CRM Online subscribers are already using Microsoft Entra ID to authenticate into their account.

b. What does Microsoft Entra ID do?

i. Authentication: This includes verifying identity to access applications and resources. It also
includes providing functionality such as self-service password reset, multifactor authentication, a
custom list of banned passwords, and smart lockout services.
ii. Single sign-on: Single sign-on (SSO) enables you to remember only one username and one
password to access multiple applications. A single identity is tied to a user, which simplifies the
security model. As users change roles or leave an organization, access modifications are tied to
that identity, which greatly reduces the effort needed to change or disable accounts.
iii. Application management: You can manage your cloud and on-premises apps by using Microsoft
Entra ID. Features like Application Proxy, SaaS apps, the My Apps portal, and single sign-on
provide a better user experience.
iv. Device management: Along with accounts for individual people, Microsoft Entra ID supports the
registration of devices. Registration enables devices to be managed through tools like Microsoft
Intune. It also allows for device-based Conditional Access policies to restrict access attempts to
only those coming from known devices, regardless of the requesting user account.

c. Can I connect my on-premises AD with Microsoft Entra ID?

i. If you had an on-premises environment running Active Directory and a cloud deployment using
Microsoft Entra ID, you would need to maintain two identity sets. However, you can connect
Active Directory with Microsoft Entra ID, enabling a consistent identity experience between cloud
and on-premises.
ii. One method of connecting Microsoft Entra ID with your on-premises AD is using Microsoft Entra
Connect. Microsoft Entra Connect synchronizes user identities between on-premises Active
Directory and Microsoft Entra ID. Microsoft Entra Connect synchronizes changes between both
identity systems, so you can use features like SSO, multifactor authentication, and self-service
password reset under both systems.
d. Microsoft Entra Domain Services:
 i. Microsoft Entra Domain Services is a service that provides managed domain services such as
domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM
authentication. Just like Microsoft Entra ID lets you use directory services without having to
maintain the infrastructure supporting it, with Microsoft Entra Domain Services, you get the
benefit of domain services without the need to deploy, manage, and patch domain controllers
(DCs) in the cloud.
ii. A Microsoft Entra Domain Services managed domain lets you run legacy applications in the cloud
that can't use modern authentication methods, or where you don't want directory lookups to
always go back to an on-premises AD DS environment. You can lift and shift those legacy
applications from your on-premises environment into a managed domain, without needing to
manage the AD DS environment in the cloud.
iii. Microsoft Entra Domain Services integrates with your existing Microsoft Entra tenant. This
integration lets users sign into services and applications connected to the managed domain using
their existing credentials. You can also use existing groups and user accounts to secure access to
resources. These features provide a smoother lift-and-shift of on-premises resources to Azure.
e. How does Microsoft Entra Domain Services work?
i. When you create a Microsoft Entra Domain Services managed domain, you define a unique
namespace. This namespace is the domain name. Two Windows Server domain controllers are
then deployed into your selected Azure region. This deployment of DCs is known as a replica set.
ii. You don't need to manage, configure, or update these DCs. The Azure platform handles the DCs
as part of the managed domain, including backups and encryption at rest using Azure Disk
Encryption.
f. Synchronization (Revise)
i. A managed domain is configured to perform a one-way synchronization from Microsoft Entra ID to
Microsoft Entra Domain Services. You can create resources directly in the managed domain, but
they aren't synchronized back to Microsoft Entra ID. In a hybrid environment with an on-premises
AD DS environment, Microsoft Entra Connect synchronizes identity information with Microsoft
Entra ID, which is then synchronized to the managed domain.
ii. A managed domain is configured to perform a one-way synchronization from Microsoft Entra ID to
Microsoft Entra Domain Services. You can create resources directly in the managed domain, but
they aren't synchronized back to Microsoft Entra ID. In a hybrid environment with an on-premises
AD DS environment, Microsoft Entra Connect synchronizes identity information with Microsoft
Entra ID, which is then synchronized to the managed domain.
20. Azure authentication methods: Authentication is the process of establishing the identity of a person, service, or
device. It requires the person, service, or device to provide some type of credential to prove who they are. Azure
supports multiple authentication methods, including standard passwords, single sign-on (SSO), multifactor
authentication (MFA), and passwordless.

a. single sign-on: Single sign-on (SSO) enables a user to sign in one time and use that credential to access
multiple resources and applications from different providers.

NOTE: Single sign-on is only as secure as the initial authenticator because the subsequent connections are all based on the
security of the initial authenticator.
 b. multifactor authentication: Multifactor authentication is the process of prompting a user for an extra form
(or factor) of identification during the sign-in process. MFA helps protect against a password compromise
in situations where the password was compromised but the second factor wasn't.
i. Multifactor authentication provides additional security for your identities by requiring two or
more elements to fully authenticate. These elements fall into three categories:
1. Something the user knows – this might be a challenge question.
2. Something the user has – this might be a code that's sent to the user's mobile phone.
3. Something the user is – this is typically some sort of biometric property, such as a
fingerprint or face scan.

c. Microsoft Entra multifactor authentication: Microsoft Entra multifactor authentication is a Microsoft

service that provides multifactor authentication capabilities. Microsoft Entra multifactor authentication
enables users to choose an additional form of authentication during sign-in, such as a phone call or mobile
app notification.
d. Passwordless authentication:
i. Windows Hello for Business: Windows Hello for Business is ideal for information workers that
have their own designated Windows PC. The biometric and PIN credentials are directly tied to the
user's PC, which prevents access from anyone other than the owner. With public key
infrastructure (PKI) integration and built-in support for single sign-on (SSO), Windows Hello for
Business provides a convenient method for seamlessly accessing corporate resources on-premises
and in the cloud.
ii. Microsoft Authenticator App:
iii. FIDO2 security keys:
1. The FIDO (Fast IDentity Online) Alliance helps to promote open authentication standards
and reduce the use of passwords as a form of authentication. FIDO2 is the latest standard
that incorporates the web authentication (WebAuthn) standard.
2. FIDO2 security keys are an unphishable standards-based passwordless authentication
method that can come in any form factor. Fast Identity Online (FIDO) is an open standard
for passwordless authentication. FIDO allows users and organizations to leverage the
standard to sign-in to their resources without a username or password by using an
external security key or a platform key built into a device.
3. Users can register and then select a FIDO2 security key at the sign-in interface as their
main means of authentication. These FIDO2 security keys are typically USB devices, but
could also use Bluetooth or NFC. With a hardware device that handles the authentication,
the security of an account is increased as there's no password that could be exposed or
guessed.
21. Azure external identities: An external identity is a person, device, service, etc. that is outside your organization.
Microsoft Entra External ID refers to all the ways you can securely interact with users outside of your organization.

a. The following capabilities make up External Identities:

i. Business to business (B2B) collaboration - Collaborate with external users by letting them use their
preferred identity to sign-in to your Microsoft applications or other enterprise applications (SaaS
apps, custom-developed apps, etc.). B2B collaboration users are represented in your directory,
typically as guest users.
 ii. B2B direct connect - Establish a mutual, two-way trust with another Microsoft Entra organization
for seamless collaboration. B2B direct connect currently supports Teams shared channels,
enabling external users to access your resources from within their home instances of Teams. B2B
direct connect users aren't represented in your directory, but they're visible from within the
Teams shared channel and can be monitored in Teams admin center reports.
iii. Microsoft Azure Active Directory business to customer (B2C) - Publish modern SaaS apps or
custom-developed apps (excluding Microsoft apps) to consumers and customers, while using
Azure AD B2C for identity and access management.
22. Azure conditional access
a. Conditional Access is a tool that Microsoft Entra ID uses to allow (or deny) access to resources based on
identity signals. These signals include who the user is, where the user is, and what device the user is
requesting access from.
b. Conditional Access helps IT administrators:
i. Empower users to be productive wherever and whenever.
ii. Protect the organization's assets.
c. Conditional Access also provides a more granular multifactor authentication experience for users. For
example, a user might not be challenged for second authentication factor if they're at a known location.
However, they might be challenged for a second authentication factor if their sign-in signals are unusual or
they're at an unexpected location.
d. During sign-in, Conditional Access collects signals from the user, makes decisions based on those signals,
and then enforces that decision by allowing or denying the access request or challenging for a multifactor
authentication response.
e. If the user is signing in from an unusual location or a location that's marked as high risk, then access might
be blocked entirely or possibly granted after the user provides a second form of authentication.
f. Conditional Access is useful when you need to:
i. Require multifactor authentication (MFA) to access an application depending on the requester’s
role, location, or network. For example, you could require MFA for administrators but not regular
users or for people connecting from outside your corporate network.
ii. Require access to services only through approved client applications. For example, you could limit
which email applications are able to connect to your email service.
iii. Require users to access your application only from managed devices. A managed device is a device
that meets your standards for security and compliance.
iv. Block access from untrusted sources, such as access from unknown or unexpected locations.
23. Azure role-based access control
a. Azure provides built-in roles that describe common access rules for cloud resources. You can also define
your own roles. Each role has an associated set of access permissions that relate to that role. When you
assign individuals or groups to one or more roles, they receive all the associated access permissions.
b. Example: A management group, subscription, or resource group might be given the role of owner, so they
have increased control and authority. An observer, who isn't expected to make any updates, might be
given a role of Reader for the same scope, enabling them to review or observe the management group,
subscription, or resource group.
c. Azure RBAC is hierarchical, in that when you grant access at a parent scope, those permissions are
inherited by all child scopes.
 d. Azure RBAC is enforced on any action that's initiated against an Azure resource that passes through Azure
Resource Manager.
e. Resource Manager is a management service that provides a way to organize and secure your cloud
resources.
f. You typically access Resource Manager from the Azure portal, Azure Cloud Shell, Azure PowerShell, and
the Azure CLI. Azure RBAC doesn't enforce access permissions at the application or data level. Application
security must be handled by your application.
g. Azure RBAC uses an allow model. When you're assigned a role, Azure RBAC allows you to perform actions
within the scope of that role. If one role assignment grants you read permissions to a resource group and a
different role assignment grants you write permissions to the same resource group, you have both read
and write permissions on that resource group.
24. Zero trust model
a. Zero Trust assumes breach at the outset, and then verifies each request as though it originated from an
uncontrolled network.
b. Zero Trust security model guiding principles:
i. Verify explicitly - Always authenticate and authorize based on all available data points.
ii. Use least privilege access - Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA),
risk-based adaptive policies, and data protection.
iii. Assume breach - Minimize blast radius and segment access. Verify end-to-end encryption. Use
analytics to get visibility, drive threat detection, and improve defenses.
c. Instead of assuming that a device is safe because it’s within the corporate network, it requires everyone to
authenticate. Then grants access based on authentication rather than location.
25. Defense-in-depth
a. Here's a brief overview of the role of each layer:
i. The physical security layer is the first line of defense to protect computing hardware in the
datacenter.
ii. The identity and access layer controls access to infrastructure and change control.
iii. The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks
before they can cause a denial of service for users.
iv. The network layer limits communication between resources through segmentation and access
controls.
v. The compute layer secures access to virtual machines.
vi. The application layer helps ensure that applications are secure and free of security vulnerabilities.
vii. The data layer controls access to business and customer data that you need to protect.
b. Physical security: Physically securing access to buildings and controlling access to computing hardware
within the datacenter are the first line of defense.
c. Identity and access:
i. The identity and access layer is all about ensuring that identities are secure, that access is granted
only to what's needed, and that sign-in events and changes are logged.
ii. At this layer, it's important to:
1. Control access to infrastructure and change control.
2. Use single sign-on (SSO) and multifactor authentication.
3. Audit events and changes.
d. Perimeter:
 i. The network perimeter protects from network-based attacks against your resources. Identifying
these attacks, eliminating their impact, and alerting you when they happen are important ways to
keep your network secure.
ii. At this layer, it's important to:
1. Use DDoS protection to filter large-scale attacks before they can affect the availability of a
system for users.
2. Use perimeter firewalls to identify and alert on malicious attacks against your network.
e. Network:
i. At this layer, the focus is on limiting the network connectivity across all your resources to allow
only what's required. By limiting this communication, you reduce the risk of an attack spreading to
other systems in your network.
ii. At this layer, it's important to:
1. Limit communication between resources.
2. Deny by default.
3. Restrict inbound internet access and limit outbound access where appropriate.
4. Implement secure connectivity to on-premises networks.
f. Compute:
i. Malware, unpatched systems, and improperly secured systems open your environment to attacks.
The focus in this layer is on making sure that your compute resources are secure and that you
have the proper controls in place to minimize security issues.
ii. At this layer, it's important to:
1. Secure access to virtual machines.
2. Implement endpoint protection on devices and keep systems patched and current.
g. Application:
i. Integrating security into the application development lifecycle helps reduce the number of
vulnerabilities introduced in code. Every development team should ensure that its applications are
secure by default.
ii. At this layer, it's important to:
1. Ensure that applications are secure and free of vulnerabilities.
2. Store sensitive application secrets in a secure storage medium.
3. Make security a design requirement for all application development.
h. Data
i. Those who store and control access to data are responsible for ensuring that it's properly secured.
Often, regulatory requirements dictate the controls and processes that must be in place to ensure
the confidentiality, integrity, and availability of the data.
ii. In almost all cases, attackers are after data:
1. Stored in a database.
2. Stored on disk inside virtual machines.
3. Stored in software as a service (SaaS) applications, such as Office 365.
4. Managed through cloud storage.
26. Microsoft Defender for Cloud:
a. Defender for Cloud is a monitoring tool for security posture management and threat protection. It
monitors your cloud, on-premises, hybrid, and multi-cloud environments to provide guidance and
notifications aimed at strengthening your security posture.
b. Defender for Cloud provides the tools needed to harden your resources, track your security posture,
protect against cyber attacks, and streamline security management.
c. When necessary, Defender for Cloud can automatically deploy a Log Analytics agent to gather security-
related data. For Azure machines, deployment is handled directly. For hybrid and multi-cloud
environments, Microsoft Defender plans are extended to non Azure machines with the help of Azure Arc.
Cloud security posture management (CSPM) features are extended to multi-cloud machines without the
need for any agents.
d. Azure-native protections:
i. Azure PaaS services – Detect threats targeting Azure services including Azure App Service, Azure
SQL, Azure Storage Account, and more data services. You can also perform anomaly detection on
your Azure activity logs using the native integration with Microsoft Defender for Cloud Apps
(formerly known as Microsoft Cloud App Security).
ii. Azure data services – Defender for Cloud includes capabilities that help you automatically classify
your data in Azure SQL. You can also get assessments for potential vulnerabilities across Azure SQL
and Storage services, and recommendations for how to mitigate them.
iii. Networks – Defender for Cloud helps you limit exposure to brute force attacks. By reducing access
to virtual machine ports, using the just-in-time VM access, you can harden your network by
preventing unnecessary access. You can set secure access policies on selected ports, for only
authorized users, allowed source IP address ranges or IP addresses, and for a limited amount of
time.
e. Defend your hybrid resources:
i. In addition to defending your Azure environment, you can add Defender for Cloud capabilities to
your hybrid cloud environment to protect your non-Azure servers. To help you focus on what
matters the most, you'll get customized threat intelligence and prioritized alerts according to your
specific environment.
ii. To extend protection to on-premises machines, deploy Azure Arc and enable Defender for Cloud's
enhanced security features.
f. Defend resources running on other clouds: For example, if you've connected an Amazon Web Services
(AWS) account to an Azure subscription, you can enable any of these protections:
i. Defender for Cloud's CSPM features extend to your AWS resources. This agentless plan assesses
your AWS resources according to AWS-specific security recommendations, and includes the
results in the secure score. The resources will also be assessed for compliance with built-in
standards specific to AWS (AWS CIS, AWS PCI DSS, and AWS Foundational Security Best Practices).
Defender for Cloud's asset inventory page is a multi-cloud enabled feature helping you manage
your AWS resources alongside your Azure resources.
ii. Microsoft Defender for Containers extends its container threat detection and advanced defenses
to your Amazon EKS Linux clusters.
iii. Microsoft Defender for Servers brings threat detection and advanced defenses to your Windows
and Linux EC2 instances.
g. Assess, Secure, and Defend:
i. Defender for Cloud fills three vital needs as you manage the security of your resources and
workloads in the cloud and on-premises:
1. Continuously assess – Know your security posture. Identify and track vulnerabilities.
2. Secure – Harden resources and services with Azure Security Benchmark.
 3. Defend – Detect and resolve threats to resources, workloads, and services.
ii. Continuously assess:
1. Defender for cloud helps you continuously assess your environment. Defender for Cloud
includes vulnerability assessment solutions for your virtual machines, container registries,
and SQL servers.
2. Microsoft Defender for servers includes automatic, native integration with Microsoft
Defender for Endpoint. With this integration enabled, you'll have access to the
vulnerability findings from Microsoft threat and vulnerability management.
3. Between these assessment tools you’ll have regular, detailed vulnerability scans that
cover your compute, data, and infrastructure. You can review and respond to the results
of these scans all from within Defender for Cloud.
iii. Secure:
1. Because policies in Defender for Cloud are built on top of Azure Policy controls, you're
getting the full range and flexibility of a world-class policy solution.
2. In Defender for Cloud, you can set your policies to run on management groups, across
subscriptions, and even for a whole tenant.
3. The list of recommendations is enabled and supported by the Azure Security Benchmark.
This Microsoft-authored, Azure-specific, benchmark provides a set of guidelines for
security and compliance best practices based on common compliance frameworks.
4. To help you understand how important each recommendation is to your overall security
posture, Defender for Cloud groups the recommendations into security controls and adds
a secure score value to each control. The secure score gives you an at-a-glance indicator of
the health of your security posture, while the controls give you a working list of things to
consider to improve your security score and your overall security posture.
iv. Defend:
1. Security alerts:
a. When Defender for Cloud detects a threat in any area of your environment, it
generates a security alert. Security alerts:
i. Describe details of the affected resources
ii. Suggest remediation steps
iii. Provide, in some cases, an option to trigger a logic app in response
b. Whether an alert is generated by Defender for Cloud or received by Defender for
Cloud from an integrated security product, you can export it. Defender for Cloud's
threat protection includes fusion kill-chain analysis, which automatically
correlates alerts in your environment based on cyber kill-chain analysis, to help
you better understand the full story of an attack campaign, where it started, and
what kind of impact it had on your resources.
2. Advanced threat protection: Defender for cloud provides advanced threat protection
features for many of your deployed resources, including virtual machines, SQL databases,
containers, web applications, and your network. Protections include securing the
management ports of your VMs with just-in-time access, and adaptive application controls
to create allowlists for what apps should and shouldn't run on your machines.
Microsoft Azure Fundamentals: Describe
Azure management and governance
1. factors that can affect costs in Azure:
a. Resource type: The type of resources, the settings for the resource, and the Azure region will all have an
impact on how much a resource costs. When you provision an Azure resource, Azure creates metered
instances for that resource. The meters track the resources' usage and generate a usage record that is
used to calculate your bill. Examples:
i. With a storage account, you specify a type such as blob, a performance tier, an access tier,
redundancy settings, and a region. Creating the same storage account in different regions may
show different costs and changing any of the settings may also impact the price.
ii. With a virtual machine (VM), you may have to consider licensing for the operating system or other
software, the processor and number of cores for the VM, the attached storage, and the network
interface. Just like with storage, provisioning the same virtual machine in different regions may
result in different costs.
b. Consumption: Azure also offers the ability to commit to using a set amount of cloud resources in advance
and receiving discounts on those “reserved” resources. Many services, including databases, compute, and
storage all provide the option to commit to a level of use and receive a discount, in some cases up to 72
percent. When you reserve capacity, you’re committing to using and paying for a certain amount of Azure
resources during a given period (typically one or three years). With the back-up of pay-as-you-go, if you
see a sudden surge in demand that eclipses what you’ve pre-reserved, you just pay for the additional
resources in excess of your reservation. This model allows you to recognize significant savings on reliable,
consistent workloads while also having the flexibility to rapidly increase your cloud footprint as the need
arises.
c. Maintenance: The flexibility of the cloud makes it possible to rapidly adjust resources based on demand.
Using resource groups can help keep all of your resources organized. In order to control costs, it’s
important to maintain your cloud environment. For example, every time you provision a VM, additional
resources such as storage and networking are also provisioned. If you deprovision the VM, those
additional resources may not deprovision at the same time, either intentionally or unintentionally. By
keeping an eye on your resources and making sure you’re not keeping around resources that are no longer
needed, you can help control cloud costs.
d. Geography: When you provision most resources in Azure, you need to define a region where the resource
deploys. Azure infrastructure is distributed globally, which enables you to deploy your services centrally or
closest to your customers, or something in between. With this global deployment comes global pricing
differences. The cost of power, labor, taxes, and fees vary depending on the location. Due to these
variations, Azure resources can differ in costs to deploy depending on the region. Network traffic is also
 impacted based on geography. For example, it’s less expensive to move information within Europe than to
move information from Europe to Asia or South America.
e. Network Traffic: Bandwidth refers to data moving in and out of Azure datacenters. Some inbound data
transfers (data going into Azure datacenters) are free. For outbound data transfers (data leaving Azure
datacenters), data transfer pricing is based on zones. A zone is a geographical grouping of Azure regions
for billing purposes. The bandwidth pricing page has additional information on pricing for data ingress,
egress, and transfer.
f. Subscription type: Some Azure subscription types also include usage allowances, which affect costs. For
example, an Azure free trial subscription provides access to a number of Azure products that are free for
12 months. It also includes credit to spend within your first 30 days of sign-up. You'll get access to more
than 25 products that are always free (based on resource and region availability).
g. Azure Marketplace: Azure Marketplace lets you purchase Azure-based solutions and services from third-
party vendors. This could be a server with software preinstalled and configured, or managed network
firewall appliances, or connectors to third-party backup services. When you purchase products through
Azure Marketplace, you may pay for not only the Azure services that you’re using, but also the services or
expertise of the third-party vendor. Billing structures are set by the vendor. All solutions available in Azure
Marketplace are certified and compliant with Azure policies and standards. The certification policies may
vary based on the service or solution type and Azure service involved. Commercial marketplace
certification policies has additional information on Azure Marketplace certifications.
2. Compare the Pricing and Total Cost of Ownership calculators
a. Pricing calculator:
i. The pricing calculator is designed to give you an estimated cost for provisioning resources in
Azure. You can get an estimate for individual resources, build out a solution, or use an example
scenario to see an estimate of the Azure spend. The pricing calculator’s focus is on the cost of
provisioned resources in Azure.
ii. The Pricing calculator is for information purposes only. The prices are only an estimate. Nothing is
provisioned when you add resources to the pricing calculator, and you won't be charged for any
services you select.
iii. With the pricing calculator, you can estimate the cost of any provisioned resources, including
compute, storage, and associated network costs. You can even account for different storage
options like storage type, access tier, and redundancy.
b. TCO calculator:
i. The TCO calculator is designed to help you compare the costs for running an on-premises
infrastructure compared to an Azure Cloud infrastructure. With the TCO calculator, you enter your
current infrastructure configuration, including servers, databases, storage, and outbound network
traffic. The TCO calculator then compares the anticipated costs for your current environment with
an Azure environment supporting the same infrastructure requirements.
ii. With the TCO calculator, you enter your configuration, add in assumptions like power and IT labor
costs, and are presented with an estimation of the cost difference to run the same environment in
your current datacenter or in Azure.
3. Execise url:
a. Pricing calculator: https://azure.com/e/9393b8ffd4db4c9ba3a56cc0cc520f91
b. Total cost of operation calculator
4. Microsoft Cost Management tool
 a. Cost Management provides the ability to quickly check Azure resource costs, create alerts based on
resource spend, and create budgets that can be used to automate management of resources.
b. Cost analysis is a subset of Cost Management that provides a quick visual for your Azure costs. Using cost
analysis, you can quickly view the total cost in a variety of different ways, including by billing cycle,
region, resource, and so on.
c. You use cost analysis to explore and analyze your organizational costs. You can view aggregated costs by
organization to understand where costs are accrued and to identify spending trends. And you can see
accumulated costs over time to estimate monthly, quarterly, or even yearly cost trends against a budget.
d. Cost alerts: Cost alerts provide a single location to quickly check on all of the different alert types that
may show up in the Cost Management service.
i. Budget alerts: Budget alerts notify you when spending, based on usage or cost, reaches or exceeds
the amount defined in the alert condition of the budget. Cost Management budgets are created
using the Azure portal or the Azure Consumption API. In the Azure portal, budgets are defined by
cost. Budgets are defined by cost or by consumption usage when using the Azure Consumption
API. Budget alerts support both cost-based and usage-based budgets. Budget alerts are generated
automatically whenever the budget alert conditions are met. You can view all cost alerts in the
Azure portal. Whenever an alert is generated, it appears in cost alerts. An alert email is also sent
to the people in the alert recipients list of the budget.
ii. Credit alerts: Credit alerts notify you when your Azure credit monetary commitments are
consumed. Monetary commitments are for organizations with Enterprise Agreements (EAs). Credit
alerts are generated automatically at 90% and at 100% of your Azure credit balance. Whenever an
alert is generated, it's reflected in cost alerts, and in the email sent to the account owners.
iii. Department spending quota alerts: Department spending quota alerts notify you when
department spending reaches a fixed threshold of the quota. Spending quotas are configured in
the EA portal. Whenever a threshold is met, it generates an email to department owners, and
appears in cost alerts. For example, 50 percent or 75 percent of the quota.
iv. Budgets: A budget is where you set a spending limit for Azure. You can set budgets based on a
subscription, resource group, service type, or other criteria. When you set a budget, you will also
set a budget alert. When the budget hits the budget alert level, it will trigger a budget alert that
shows up in the cost alerts area. If configured, budget alerts will also send an email notification
that a budget alert threshold has been triggered. A more advanced use of budgets enables budget
conditions to trigger automation that suspends or otherwise modifies resources once the trigger
condition has occurred.
5. Purpose of tags:
a. Used when:
i. Resource management Tags enable you to locate and act on resources that are associated with
specific workloads, environments, business units, and owners.
ii. Cost management and optimization Tags enable you to group resources so that you can report on
costs, allocate internal cost centers, track budgets, and forecast estimated cost.
iii. Operations management Tags enable you to group resources according to how critical their
availability is to your business. This grouping helps you formulate service-level agreements (SLAs).
An SLA is an uptime or performance guarantee between you and your users.
iv. Security Tags enable you to classify data by its security level, such as public or confidential.
 v. Governance and regulatory compliance Tags enable you to identify resources that align with
governance or regulatory compliance requirements, such as ISO 27001. Tags can also be part of
your standards enforcement efforts. For example, you might require that all resources be tagged
with an owner or department name.
vi. Workload optimization and automation Tags can help you visualize all of the resources that
participate in complex deployments. For example, you might tag a resource with its associated
workload or application name and use software such as Azure DevOps to perform automated
tasks on those resources.
b. Managing resource tags: You can add, modify, or delete resource tags through Windows PowerShell, the
Azure CLI, Azure Resource Manager templates, the REST API, or the Azure portal. You can use Azure Policy
to enforce tagging rules and conventions. For example, you can require that certain tags be added to new
resources as they're provisioned. You can also define rules that reapply tags that have been removed.
Resources don't inherit tags from subscriptions and resource groups, meaning that you can apply tags at
one level and not have those tags automatically show up at a different level, allowing you to create
custom tagging schemas that change depending on the level (resource, resource group, subscription, and
so on).
6. Purpose of Microsoft Purview:
a. Microsoft Purview is a family of data governance, risk, and compliance solutions that helps you get a
single, unified view into your data.
b. Microsoft Purview brings insights about your on-premises, multicloud, and software-as-a-service data
together.
c. With Microsoft Purview, you can stay up-to-date on your data landscape thanks to:
i. Automated data discovery
ii. Sensitive data classification
iii. End-to-end data lineage
d. Microsoft Purview risk and compliance solutions: Microsoft 365 features as a core component of the
Microsoft Purview risk and compliance solutions. Microsoft Teams, OneDrive, and Exchange are just some
of the Microsoft 365 services that Microsoft Purview uses to help manage and monitor your data.
Microsoft Purview, by managing and monitoring your data, is able to help your organization:
i. Protect sensitive data across clouds, apps, and devices.
ii. Identify data risks and manage regulatory compliance requirements.
iii. Get started with regulatory compliance.
e. Unified data governance
i. Microsoft Purview has robust, unified data governance solutions that help manage your on-
premises, multicloud, and software as a service data. Microsoft Purview’s robust data governance
capabilities enable you to manage your data stored in Azure, SQL and Hive databases, locally, and
even in other clouds like Amazon S3.
ii. Microsoft Purview’s unified data governance helps your organization:
1. Create an up-to-date map of your entire data estate that includes data classification and
end-to-end lineage.
2. Identify where sensitive data is stored in your estate.
3. Create a secure environment for data consumers to find valuable data.
4. Generate insights about how your data is stored and used.
5. Manage access to the data in your estate securely and at scale.
7. Purpose of Azure Policy:
a. Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or
audit your resources. These policies enforce different rules across your resource configurations so that
those configurations stay compliant with corporate standards.
b. Azure Policy enables you to define both individual policies and groups of related policies, known as
initiatives. Azure Policy evaluates your resources and highlights resources that aren't compliant with the
policies you've created. Azure Policy can also prevent noncompliant resources from being created.
c. Azure Policies can be set at each level, enabling you to set policies on a specific resource, resource group,
subscription, and so on. Additionally, Azure Policies are inherited, so if you set a policy at a high level, it
will automatically be applied to all of the groupings that fall within the parent.
d. Azure Policy comes with built-in policy and initiative definitions for Storage, Networking, Compute,
Security Center, and Monitoring. For example, if you define a policy that allows only a certain size for the
virtual machines (VMs) to be used in your environment, that policy is invoked when you create a new VM
and whenever you resize existing VMs. Azure Policy also evaluates and monitors all current VM
e. In some cases, Azure Policy can automatically remediate noncompliant resources and configurations to
ensure the integrity of the state of the resources. If you have a specific resource that you don’t want Azure
Policy to automatically fix, you can flag that resource as an exception – and the policy won’t automatically
fix that resource.
f. Azure Policy also integrates with Azure DevOps by applying any continuous integration and delivery
pipeline policies that pertain to the pre-deployment and post-deployment phases of your applications.
g. Azure Policy initiatives:
i. An Azure Policy initiative is a way of grouping related policies together. The initiative definition
contains all of the policy definitions to help track your compliance state for a larger goal.
ii. For example, Azure Policy includes an initiative named Enable Monitoring in Azure Security
Center. Its goal is to monitor all available security recommendations for all Azure resource types in
Azure Security Center.
iii. Under this initiative, the following policy definitions are included:
1. Monitor unencrypted SQL Database in Security Center This policy monitors for
unencrypted SQL databases and servers.
2. Monitor OS vulnerabilities in Security Center This policy monitors servers that don't satisfy
the configured OS vulnerability baseline.
3. Monitor missing Endpoint Protection in Security Center This policy monitors for servers
that don't have an installed endpoint protection agent.
iv. In fact, the Enable Monitoring in Azure Security Center initiative contains over 100 separate policy
definitions.
8. purpose of resource locks:
a. A resource lock prevents resources from being accidentally deleted or changed.
b. Resource locks can be applied to individual resources, resource groups, or even an entire subscription.
Resource locks are inherited, meaning that if you place a resource lock on a resource group, all of the
resources within the resource group will also have the resource lock applied.
c. Types of Resource Locks:
i. Delete means authorized users can still read and modify a resource, but they can't delete the
resource.
 ii. ReadOnly means authorized users can read a resource, but they can't delete or update the
resource. Applying this lock is similar to restricting all authorized users to the permissions granted
by the Reader role.
d. You can manage resource locks from the Azure portal, PowerShell, the Azure CLI, or from an Azure
Resource Manager template.
e. To view, add, or delete locks in the Azure portal, go to the Settings section of any resource's Settings pane
in the Azure portal.
f. Although locking helps prevent accidental changes, you can still make changes by following a two-step
process.
g. To modify a locked resource, you must first remove the lock. After you remove the lock, you can apply any
action you have permissions to perform. Resource locks apply regardless of RBAC permissions. Even if
you're an owner of the resource, you must still remove the lock before you can perform the blocked
activity.
9. Purpose of the Service Trust portal:
a. The Microsoft Service Trust Portal is a portal that provides access to various content, tools, and other
resources about Microsoft security, privacy, and compliance practices.
b. The Service Trust Portal contains details about Microsoft's implementation of controls and processes that
protect our cloud services and the customer data therein.
c. The Service Trust Portal features and content are accessible from the main menu. The categories on the
main menu are:
i. Service Trust Portal provides a quick access hyperlink to return to the Service Trust Portal home
page.
ii. My Library lets you save (or pin) documents to quickly access them on your My Library page. You
can also set up to receive notifications when documents in your My Library are updated.
iii. All Documents is a single landing place for documents on the service trust portal. From All
Documents, you can pin documents to have them show up in your My Library.
d. Service Trust Portal reports and documents are available to download for at least 12 months after
publishing or until a new version of document becomes available.
10. Describe tools for interacting with Azure:
a. Azure portal:
i. The Azure portal is a web-based, unified console that provides an alternative to command-line
tools. With the Azure portal, you can manage your Azure subscription by using a graphical user
interface. You can:
1. Build, manage, and monitor everything from simple web apps to complex cloud
deployments
2. Create custom dashboards for an organized view of resources
3. Configure accessibility options for an optimal experience
ii. The Azure portal is designed for resiliency and continuous availability. It maintains a presence in
every Azure datacenter. This configuration makes the Azure portal resilient to individual
datacenter failures and avoids network slowdowns by being close to users. The Azure portal
updates continuously and requires no downtime for maintenance activities.
b. Azure Cloud Shell:
 i. Azure Cloud Shell is a browser-based shell tool that allows you to create, configure, and manage
Azure resources using a shell. Azure Cloud Shell support both Azure PowerShell and the Azure
Command Line Interface (CLI), which is a Bash shell.
ii. You can access Azure Cloud Shell via the Azure portal by selecting the Cloud Shell icon:
iii. Azure Cloud Shell has several features that make it a unique offering to support you in managing
Azure. Some of those features are:
1. It is a browser-based shell experience, with no local installation or configuration required.
2. It is authenticated to your Azure credentials, so when you log in it inherently knows who
you are and what permissions you have.
3. You choose the shell you’re most familiar with; Azure Cloud Shell supports both Azure
PowerShell and the Azure CLI (which uses Bash).
c. Azure PowerShell:
i. Azure PowerShell is a shell with which developers, DevOps, and IT professionals can run
commands called command-lets (cmdlets). These commands call the Azure REST API to perform
management tasks in Azure. Cmdlets can be run independently to handle one-off changes, or they
may be combined to help orchestrate complex actions such as:
1. The routine setup, teardown, and maintenance of a single resource or multiple connected
resources.
2. The deployment of an entire infrastructure, which might contain dozens or hundreds of
resources, from imperative code.
3. Capturing the commands in a script makes the process repeatable and automatable.
ii. In addition to be available via Azure Cloud Shell, you can install and configure Azure PowerShell on
Windows, Linux, and Mac platforms.
d. Azure CLI:
i. The Azure CLI is functionally equivalent to Azure PowerShell, with the primary difference being the
syntax of commands. While Azure PowerShell uses PowerShell commands, the Azure CLI uses
Bash commands.
ii. The Azure CLI provides the same benefits of handling discrete tasks or orchestrating complex
operations through code. It’s also installable on Windows, Linux, and Mac platforms, as well as
through Azure Cloud Shell.
iii. Due to the similarities in capabilities and access between Azure PowerShell and the Bash based
Azure CLI, it mainly comes down to which language you’re most familiar with.
11. Azure Arc:
a. In utilizing Azure Resource Manager (ARM), Arc lets you extend your Azure compliance and monitoring to
your hybrid and multi-cloud configurations. Azure Arc simplifies governance and management by
delivering a consistent multi-cloud and on-premises management platform.
b. Azure Arc provides a centralized, unified way to:
i. Manage your entire environment together by projecting your existing non-Azure resources into
ARM.
ii. Manage multi-cloud and hybrid virtual machines, Kubernetes clusters, and databases as if they are
running in Azure.
iii. Use familiar Azure services and management capabilities, regardless of where they live.
iv. Continue using traditional ITOps while introducing DevOps practices to support new cloud and
native patterns in your environment.
 v. Configure custom locations as an abstraction layer on top of Azure Arc-enabled Kubernetes
clusters and cluster extensions.
c. Azure Arc allows you to manage the following resource types hosted outside of Azure:
i. Servers
ii. Kubernetes clusters
iii. Azure data services
iv. SQL Server
v. Virtual machines (preview)
12. Azure Resource Manager and Azure ARM templates:
a. Azure Resource Manager (ARM) is the deployment and management service for Azure. It provides a
management layer that enables you to create, update, and delete resources in your Azure account.
Anytime you do anything with your Azure resources, ARM is involved.
b. When a user sends a request from any of the Azure tools, APIs, or SDKs, ARM receives the request. ARM
authenticates and authorizes the request. Then, ARM sends the request to the Azure service, which
takes the requested action. You see consistent results and capabilities in all the different tools because all
requests are handled through the same API.
c. Azure Resource Manager benefits:
i. Manage your infrastructure through declarative templates rather than scripts. A Resource
Manager template is a JSON file that defines what you want to deploy to Azure.
ii. Deploy, manage, and monitor all the resources for your solution as a group, rather than handling
these resources individually.
iii. Re-deploy your solution throughout the development life-cycle and have confidence your
resources are deployed in a consistent state.
iv. Define the dependencies between resources, so they're deployed in the correct order.
v. Apply access control to all services because RBAC is natively integrated into the management
platform.
vi. Apply tags to resources to logically organize all the resources in your subscription.
vii. Clarify your organization's billing by viewing costs for a group of resources that share the same
tag.
d. Infrastructure as code: Infrastructure as code is a concept where you manage your infrastructure as lines
of code. At an introductory level, it's things like using Azure Cloud Shell, Azure PowerShell, or the Azure CLI
to manage and configure your resources. As you get more comfortable in the cloud, you can use the
infrastructure as code concept to manage entire deployments using repeatable templates and
configurations. ARM templates and Bicep are two examples of using infrastructure as code with the Azure
Resource Manager to maintain your environment.
i. ARM templates:
1. By using ARM templates, you can describe the resources you want to use in a declarative
JSON format. With an ARM template, the deployment code is verified before any code is
run. This ensures that the resources will be created and connected correctly. The template
then orchestrates the creation of those resources in parallel. That is, if you need 50
instances of the same resource, all 50 instances are created at the same time.
2. Ultimately, the developer, DevOps professional, or IT professional needs only to define
the desired state and configuration of each resource in the ARM template, and the
 template does the rest. Templates can even execute PowerShell and Bash scripts before
or after the resource has been set up.
ii. Benefits of using ARM templates:
1. Declarative syntax: ARM templates allow you to create and deploy an entire Azure
infrastructure declaratively. Declarative syntax means you declare what you want to
deploy but don’t need to write the actual programming commands and sequence to
deploy the resources.
2. Repeatable results: Repeatedly deploy your infrastructure throughout the development
lifecycle and have confidence your resources are deployed in a consistent manner. You
can use the same ARM template to deploy multiple dev/test environments, knowing that
all the environments are the same.
3. Orchestration: You don't have to worry about the complexities of ordering operations.
Azure Resource Manager orchestrates the deployment of interdependent resources, so
they're created in the correct order. When possible, Azure Resource Manager deploys
resources in parallel, so your deployments finish faster than serial deployments. You
deploy the template through one command, rather than through multiple imperative
commands.
4. Modular files: You can break your templates into smaller, reusable components and link
them together at deployment time. You can also nest one template inside another
template. For example, you could create a template for a VM stack, and then nest that
template inside of templates that deploy entire environments, and that VM stack will
consistently be deployed in each of the environment templates.
5. Extensibility: With deployment scripts, you can add PowerShell or Bash scripts to your
templates. The deployment scripts extend your ability to set up resources during
deployment. A script can be included in the template or stored in an external source and
referenced in the template. Deployment scripts give you the ability to complete your end-
to-end environment setup in a single ARM template.
e. Bicep: Bicep is a language that uses declarative syntax to deploy Azure resources. A Bicep file defines the
infrastructure and configuration. Then, ARM deploys that environment based on your Bicep file. While
similar to an ARM template, which is written in JSON, Bicep files tend to use a simpler, more concise
style. Some benefits of Bicep are:
i. Support for all resource types and API versions: Bicep immediately supports all preview and GA
versions for Azure services. As soon as a resource provider introduces new resource types and API
versions, you can use them in your Bicep file. You don't have to wait for tools to be updated
before using the new services.
ii. Simple syntax: When compared to the equivalent JSON template, Bicep files are more concise and
easier to read. Bicep requires no previous knowledge of programming languages. Bicep syntax is
declarative and specifies which resources and resource properties you want to deploy.
iii. Repeatable results: Repeatedly deploy your infrastructure throughout the development lifecycle
and have confidence your resources are deployed in a consistent manner. Bicep files are
idempotent, which means you can deploy the same file many times and get the same resource
types in the same state. You can develop one file that represents the desired state, rather than
developing lots of separate files to represent updates.
 iv. Orchestration: You don't have to worry about the complexities of ordering operations. Resource
Manager orchestrates the deployment of interdependent resources so they're created in the
correct order. When possible, Resource Manager deploys resources in parallel so your
deployments finish faster than serial deployments. You deploy the file through one command,
rather than through multiple imperative commands.
v. Modularity: You can break your Bicep code into manageable parts by using modules. The module
deploys a set of related resources. Modules enable you to reuse code and simplify development.
Add the module to a Bicep file anytime you need to deploy those resources.
13. Azure Advisor:
a. Azure Advisor evaluates your Azure resources and makes recommendations to help improve reliability,
security, and performance, achieve operational excellence, and reduce costs. Azure Advisor is designed
to help you save time on cloud optimization. The recommendation service includes suggested actions
you can take right away, postpone, or dismiss.
b. The recommendations are available via the Azure portal and the API, and you can set up notifications to
alert you to new recommendations.
c. When you're in the Azure portal, the Advisor dashboard displays personalized recommendations for all
your subscriptions. You can use filters to select recommendations for specific subscriptions, resource
groups, or services. The recommendations are divided into five categories:
i. Reliability is used to ensure and improve the continuity of your business-critical applications.
ii. Security is used to detect threats and vulnerabilities that might lead to security breaches.
iii. Performance is used to improve the speed of your applications.
iv. Operational Excellence is used to help you achieve process and workflow efficiency, resource
manageability, and deployment best practices.
v. Cost is used to optimize and reduce your overall Azure spending.

14. Azure Service Health:

a. Microsoft Azure provides a global cloud solution to help you manage your infrastructure needs, reach your
customers, innovate, and adapt rapidly. Knowing the status of the global Azure infrastructure and your
individual resources could seem like a daunting task. Azure Service Health helps you keep track of Azure
resource, both your specifically deployed resources and the overall status of Azure. Azure service health
does this by combining three different Azure services:
i. Azure Status is a broad picture of the status of Azure globally. Azure status informs you of service
outages in Azure on the Azure Status page. The page is a global view of the health of all Azure
services across all Azure regions. It’s a good reference for incidents with widespread impact.
ii. Service Health provides a narrower view of Azure services and regions. It focuses on the Azure
services and regions you're using. This is the best place to look for service impacting
communications about outages, planned maintenance activities, and other health advisories
because the authenticated Service Health experience knows which services and resources you
currently use. You can even set up Service Health alerts to notify you when service issues, planned
maintenance, or other changes may affect the Azure services and regions you use.
iii. Resource Health is a tailored view of your actual Azure resources. It provides information about
the health of your individual cloud resources, such as a specific virtual machine instance. Using
 Azure Monitor, you can also configure alerts to notify you of availability changes to your cloud
resources.
b. By using Azure status, Service health, and Resource health, Azure Service Health gives you a complete
view of your Azure environment-all the way from the global status of Azure services and regions down to
specific resources. Additionally, historical alerts are stored and accessible for later review. Something you
initially thought was a simple anomaly that turned into a trend, can readily be reviewed and investigated
thanks to the historical alerts.
c. Finally, in the event that a workload you’re running is impacted by an event, Azure Service Health
provides links to support.
15. Azure Monitor:
a. Azure Monitor is a platform for collecting data on your resources, analyzing that data, visualizing the
information, and even acting on the results. Azure Monitor can monitor Azure resources, your on-
premises resources, and even multi-cloud resources like virtual machines hosted with a different cloud
provider.

b.
c. On the left is a list of the sources of logging and metric data that can be collected at every layer in your
application architecture, from application to operating system and network. In the center, the logging and
metric data are stored in central repositories. On the right, the data is used in several ways. You can view
real-time and historical performance across each layer of your architecture or aggregated and detailed
information. The data is displayed at different levels for different audiences. You can view high-level
reports on the Azure Monitor Dashboard or create custom views by using Power BI and Kusto queries.
Additionally, you can use the data to help you react to critical events in real time, through alerts delivered
to teams via SMS, email, and so on. Or you can use thresholds to trigger autoscaling functionality to scale
to meet the demand.
d. Azure Log Analytics: Azure Log Analytics is the tool in the Azure portal where you’ll write and run log
queries on the data gathered by Azure Monitor. Log Analytics is a robust tool that supports both simple,
complex queries, and data analysis. You can write a simple query that returns a set of records and then
use features of Log Analytics to sort, filter, and analyze the records. You can write an advanced query to
 perform statistical analysis and visualize the results in a chart to identify a particular trend. Whether you
work with the results of your queries interactively or use them with other Azure Monitor features such as
log query alerts or workbooks, Log Analytics is the tool that you're going to use to write and test those
queries.

e. Azure Monitor Alerts:

i. Azure Monitor Alerts are an automated way to stay informed when Azure Monitor detects a
threshold being crossed. You set the alert conditions, the notification actions, and then Azure
Monitor Alerts notifies when an alert is triggered. Depending on your configuration, Azure
Monitor Alerts can also attempt corrective action.
ii. Alerts can be set up to monitor the logs and trigger on certain log events, or they can be set to
monitor metrics and trigger when certain metrics are crossed. For example, you could set a
metric-based alert up to notify you when the CPU usage on a virtual machine exceeded 80%. Alert
rules based on metrics provide near real time alerts based on numeric values. Rules based on logs
allow for complex logic across data from multiple sources.
iii. Azure Monitor Alerts use action groups to configure who to notify and what action to take. An
action group is simply a collection of notification and action preferences that you associate with
one or multiple alerts. Azure Monitor, Service Health, and Azure Advisor all use actions groups to
notify you when an alert has been triggered.
f. Application Insights:
i. Application Insights, an Azure Monitor feature, monitors your web applications. Application
Insights is capable of monitoring applications that are running in Azure, on-premises, or in a
different cloud environment.
ii. There are two ways to configure Application Insights to help monitor your application. You can
either install an SDK in your application, or you can use the Application Insights agent. The
Application Insights agent is supported in C#.NET, VB.NET, Java, JavaScript, Node.js, and Python.
iii. Once Application Insights is up and running, you can use it to monitor a broad array of
information, such as:
1. Request rates, response times, and failure rates
2. Dependency rates, response times, and failure rates, to show whether external services
are slowing down performance
3. Page views and load performance reported by users' browsers
4. AJAX calls from web pages, including rates, response times, and failure rates
5. User and session counts
6. Performance counters from Windows or Linux server machines, such as CPU, memory,
and network usage
iv. Not only does Application Insights help you monitor the performance of your application, but you
can also configure it to periodically send synthetic requests to your application, allowing you to
check the status and monitor your application even during periods of low activity.
Question dumps:
1) You can track your company’s regulatory standards and regulations asuch as ISO 27001 from Azure Cloud Shell
a) No Change is needed
b) Trust Centre (ans)
c) Microsoft loud partner portal
d) Compliance Manager
2) You have an on-premises app that sends email notifications automatically based on a a rule and you plan to
migrate this app to Azure. You need to recommend a serverless computing solution for the application. What
should you include in the recommendation?
a) Server image from azure market place
b) Azure api app
c) Logic app
d) Azure VM
3) Azure Synapse Analytics: provide cloud based enterprise data-warehousing solution.
4)