Skip to content

Latest commit

 

History

History
234 lines (194 loc) · 11.5 KB

az-900.md

File metadata and controls

234 lines (194 loc) · 11.5 KB
description
Below page is the study "cram" by John Savill for the AZ900.

AZ-900

Source: https://www.youtube.com/watch?v=tQp1YkB2Tgs

Capital Expenditure vs Operational Expenditure

  • on-prem you pay for everything upfront, but in the cloud you pay for capacity based on what you use

IaaS = Full access to OS, but removes networking, compute, storage, etc

PaaS = Unlike IaaS, with PaaS you are only responsible for your app and data

SaaS = Everything is provided

Regions

  • Each region (e.g. east-us, west-us) will have multiple physical buildings that are relatively close together, but have separate cooling/networking/power/etc (Availability Zone)
    • For each subscription, you will have 3 availability zones, but if you have a second subscription then you might have 3 different availability zones (AKA 3 different buildings within the same region)
    • Zone redundant means that the service spans the availability zones. Some services are done automatically for you with a simple checkbox while other services have to be pinned to each individual zones manually (e.g. a VM has to be created and applied to each AZ manually)
  • Close to customers, regulatory reasons, disaster recovery from natural disasters are all reasons for having multiple regions
  • Availability Set is when your resources are on different racks within the same AZ

Azure AD

  • Cloud IDP (Identity Provider) contains users, groups, devices, applications, etc
  • OIDC, SAML, WSFED, OAUTH2
  • Authentication (OIDC, SAML, WSFED or MFA which involves any 2 of the previous) means proving who I am via something I know like a password/pin or something I have like a token/cellphone or something I am like a biometric
  • Authorization (RBAC: Role based access control) is what scope of permissions you fall into once authenticated. This involves a certain level of permissions at a particular scope (owner, reader, contributor, etc)
    • Policies are guardrails assigning what a user is allowed to do, but can also be used for auditing purposes
  • A lot of companies will already have an on-prem AD, which can be synced to azure with AAD Connect, which then enables SSO (seamless sign-on) allowing the user to seamlessly access Azure resources once connected on-prem
  • Management Groups can be used to further control access
    • RBAC, Policy, and budget can be applied to each management group, which can filter down to a subscription
  • A subscription is essentially a billing boundary
    • Once again, RBAC, Policy and budget can be applied to a subscription
  • Resources get created in a resource group, which is nested inside a subscription (note: RGs can not be nested)
    • Once again, RBAC, Policy and budget can be applied to a resource group
    • Resource groups do not limit connectivity
    • RGs should have a common lifecycle so that everything is created and destroyed as a group
  • Azure Resource Manager (ARM)
    • Used to simplify the provisioning of resources. The portal, mobile app, AZ CLI, and PoshAZ module all use ARM
      • John Savill says that the portal is good for looking at what's available, but for provisioning actual resources it should be avoided because it is subject to change
      • ARM JSON templates are declarative/idempotent where you declare the end state and make provisioning significantly easier
        • Terraform is a 3rd party product that allows you to more easily create ARM templates
    • Resource Locks can prevent a user from deleting a resource
    • Tags can be applied in a key:value format, which is essentially just metadata
      • Tags do NOT get inherited
    • Blueprint
      • Comprised of artifcats (policies, ARM template, RGs, and roles) allow for reusability and consistency

Resources

  • VMs have memory, vcpus, network, IOps
    • SKUs are like pre-packaged VMs that are setup with similar ratios
      • "Memory optimized" or "general purpose"
    • VM Scale Set
      • Pick a certain template for the disk, a certain configuration, and assign the auto scale values, which creates and deletes VMs behind-the-scenes based on what you set
    • Azure Dedicated Host
      • By default, the cloud is multi-tenant, but you can pay Microsoft for a dedicated host of a particular SKU that you can then use to create multiple VMs of the same SKU type, but they can also be different in size
    • Azure Batch will allow you to do large scale executions where it will provision the necessary resources for a specific job
    • Container Host
      • The VM already exists, but there are multiple sandboxes under the same OS
      • Allows the user to quickly run containers against a specific sandbox that will spin up much faster than an entire VM since the VM already exists
      • These are multi-tenant, but there is still isolation from your neighbor despite being on the same VM
    • Azure Container Instance
      • Runs on it's own instance separated from other tenants
      • there are VNETs and public endpoints
    • Azure Kubernetes Service
      • This will spin up a node pool, which utilizes VM scale sets
    • Azure App Service
      • Webapp service, API, mobile
  • All of the above are PaaS, but there are still underlying VMs
    • Serverless.. you pay for the work it actually does
      • Event-driven
      • Azure Functions
        • Running code from various languages
      • Azure Logic Apps
        • No or low code
  • Azure Virtual Desktop
    • self-explanatory

Azure Key Vault

  • Secrets, keys, and certs
  • RBAC can control on an individual secret level
    • You can give the identity of an app service access to a specific secret, which then provides access to something else
      • i.e. an app service can only ever be itself and nobody can imitate that app service

Networking

  • With a subscription, you can use multiple regions, but a vnet exists within a certain region/subscription.. it cannot span multiple
  • Under this a vnet is created and is defined at minimum by 1:m ipv4 address ranges
    • RFC 1918 or 192.168.16 will never be routed over the internet
  • When picking an ip range, you need to make sure it doesn't conflict with anything else you might have such as on-prem network
    • You can optionally add ipv6 ranges on top of ipv4
  • Within the vnet, you can create virtual subnets which also have an ip range
    • A subnet can span all the availability zones within a region
  • site-to-site vpn is encrypted over the internet
    • policy allows for 1 connection and is considered legacy
    • route-based allows for n number of connections as well as point to site which means you can setup connection to a single machineExpress Route gateway
  • Express Route
    • not over the internet
    • private peering
  • Network Security Group
    • built around a series of properties
      • Protocol, src/dest port, src/dest IP, name/desc, allow/deny, Service Tags, Application Security Group (e.g. if this NIC is applied with the tag "SQL" then apply these rules)
      • These are then linked to subnets
  • Azure Firewall
    • A storage account might have its' own firewall
    • you might have a vnet with a subnet and you want to be able to connect to that storage account
    • you might create a service endpoint and then configure the firewall to allow that subnet service to connect
    • If you have a second storage account that you want to be able to use from other networks.. you might have a private endpoint, which is an ip address in the subnet that is given permissions to communicate with the storage account
    • Basic and standard DDoS protection
      • You can create a standard plan and then link it to multiple VNETs
      • The basic plan is free

Storage Account

  • Lives in a region and has a certain redundancy
  • Locally Redundant Storage (LRS) - Spread across a single AZ in a single region
  • Zone Redundant Storage (ZRS) - Spread across 3 AZs in a single region
  • Geo Redundant Storage (GRS) - Spread across a single AZ in multiple regions
    • Paired asynchronously to remote region
  • Geo Zone Redundant Storage (GZRS) - Spread across 3 AZs in primary region and paired region
    • Paired asynchronously to remote region
  • Blob
    • Block - stored in containers and they are flat (no true folders or directory)
      • You can ADLS gen 2 on top
    • Page - good for read/write
      • Disks
        • STD HDD
        • STD SSD
        • Premium SSD - requires "s" version of VM
        • Ultra Disk - requires "s" version of VM
    • Append - good for logging
  • Files
    • SMB or NFS Shares
    • Azure File Sync would allow you to sync on-prem file servers to that cloud share
  • Tables
    • Key:Value schemaless storage
  • Queue
    • FIFO
  • Hot/Cool/Archive (offline) storage
    • Lifecycle management helps move data between storage levels and or delete it

Databases

  • Azure SQL Database (PaaS)
    • Hyperscale, Serverless, Regular, Standard, Business Critical
  • Azure SQL Managed Instance (MI)
    • Compatibility
  • Postgresql
  • mySQL
  • CosmosDB
    • Multiple models
      • Cassandra, graph, etc
      • Typically you have a single read/write and multiple read replicas, but with CosmosDB you get to pick the consistency
        • Strong, bounded staleness, session, etc
  • IoT
    • Azure IoT Hub
      • Register devices known to this service
      • Exposes SDKs that can then be used in your apps to get information
    • Azure IoT Central
      • Sits on top of Hub, but adds dashboards

Data Service

  • ADLS Gen 2 sits on top of blob
  • Azure Data Factory is the orchestration tool
    • For transformation, HDInsight hooks into open-source frameworks such as Hadoop, Spark, Kafka
      • There is also databricks, which is fully managed and built off of Apache Spark
  • Azure Synapse Analytics
    • Brings everything into a single workspace, but it uses the above components behind-the-scenes

AI Services

  • Azure Machine Learning
    • Platform for predicting that uses your data, models, etc
  • Azure Cognitive Services
    • Prebuilt models for vision, language, speech, etc
  • Azure Bot Service

DevOps

  • Azure Devops
    • Repos, boards, pipelines, artifacts, test plans
  • Github
    • Repos, actions, projects

Costs

  • Is it running? How many? Serverless? Storing data? Capacity? Transactions?
    • Deallocate, autoscale, tear down RGs
  • Azure Advisor
  • Azure Reservations
    • If you commit to microsoft for 1-2-3 years then you will get a discount for that resource
  • Hybrid Use Benefit
    • e.g. SQL Licensing
  • Azure Spot VMs
    • Microsoft doesn't want idle VMs just sitting around, but at the same time they need capacity for customers who want to provision a lot of resources all at once
    • You can use a Spot VM that has a % chance of evicting you if another customer needs the capacity, but it will be resumed after the fact
      • This could save you a lot of money
  • Total Cost of Ownership (TCO) calculator
    • Tell it what you spend today on-prem vs Azure

Azure Monitor

  • AAD has sign-in logs, audit logs.. subscriptions have activity logs.. resources have metrics.. this all gets stored in Azure Monitor automatically
  • You can create alerts along with action rules that can call an action group, which might send an sms/email or make a call to a logic app

SLAs

  • 99.9% availability means you can be down for up to 10 minutes per week
    • 99.95% would be 5 minutes
    • 99.99% would be 1 minute

Security

  • Identity/Access
  • Perimeter - protect against DDoS
  • Network - NSGs, everything should be blacklisted by default and then you give permissions where necessary
  • Data encryption
  • SQL injection
  • Azure Security Center is now called Microsoft Defender for Cloud
  • Azure Sentinel sits on top of Azure Analytics workspace and use machine learning to detect anomalies
    • It also has the capability to perform actions such as disabling an AD account or calling a logic app