19 KiB
19 KiB
- Test Content
-
AZ-900 Domain Area Weight Describe cloud concepts 25-30% Describe Azure architecture and services 35-40% Describe Azure management and governance 30-35%
-
-
Cloud Concepts
-
Introduction to cloud computing
- Define cloud computing.
- Compute Power
- Storage
- Pay only ressources you use
- Upkeep is done by cloud provider
- Describe the shared responsibility model.
- Cloud Provider: Physical security, power, cooling, and network connectivity are the responsibility
- Consumer: responsible for the data and information stored in the cloud.
- IAAS (Infrastructure)-> PAAS (Platform) -> SAAS (Software)
{:height 231, :width 700}
- Define cloud models, including public, private, and hybrid.
-
Public cloud Private cloud Hybrid cloud No capital expenditures to scale up Organizations have complete control over resources and security Provides the most flexibility Applications can be quickly provisioned and deprovisioned Data is not collocated with other organizations’ data Organizations determine where to run their applications Organizations pay only for what they use Hardware must be purchased for startup and maintenance Organizations control security, compliance, or legal requirements Organizations don’t have complete control over resources and security Organizations are responsible for hardware maintenance and updates - Azure ARC
- Manage Cloud environment
-
- Identify appropriate use cases for each cloud model.
- Describe the consumption-based model.
- Capital expenditure (CapEx)
- upfront one time expenditure
- Operational expenditure (OpEx)
- spending money on services or products over time
- Cloud computing is here
- Capital expenditure (CapEx)
- Compare cloud pricing models.
- pay-as-you-go pricing model
- Define cloud computing.
-
Describe the benefits of using cloud services
- Describe the benefits of high availability and scalability in the cloud.
- uptime (or availability)
- demand (or scale)
- Scalability refers to the ability to adjust resources to meet demand
- vertical
- increasing or decreasing the capabilities of resources (i.e. RAM or CPU)
- horizontal
- adding or subtracting the number of resources (i.e. VMs or containers)
- each Service has own SLA
- Describe the benefits of reliability and predictability in the cloud.
- Reliability is the ability of a system to recover from failures and continue to function
- decentralized design and global scale across data centers
- Predictability
- performance predictability
- Autoscaling, load balancing, and high availability
- cost predictability
- track cost in real time
- Total Cost of Ownership (TCO) or Pricing Calculator
- performance predictability
- Reliability is the ability of a system to recover from failures and continue to function
- Describe the benefits of security and governance in the cloud.
- Set templates
- update all your deployed resources to new standards
- Cloud-based auditing
- handle distributed denial of service (DDoS)
- Describe the benefits of manageability in the cloud.
- Automatically scale resource
- Deploy resources based on (preconfigured) templates
- Monitor health and replace failing resources
- Automatic alerts
- Use
- Web Portal, CLI, APIs, PowerShell
- Describe the benefits of high availability and scalability in the cloud.
- ###Describe cloud service types
- Describe Infrastructure as a Service (IaaS).
- renting the hardware in a cloud datacenter (i.e. Hetzner)
- Scenarios
- Lift-and-shift migration
- Test an development
- Describe Platform as a Service (PaaS).
- maintain the operating systems, databases, and development tools
- Scenarios
- Development framework
- Analytics or business intelligence
- Describe Software as a Service (SaaS).
- Use Maintained Software
- Scenarios
- Email and messaging.
- Business productivity applications.
- Finance and expense tracking.
- Identify appropriate use cases for each cloud service (IaaS, PaaS, SaaS).
- Describe Infrastructure as a Service (IaaS).
-
-
Azure architecture and services
-
Describe the core architectural components of Azure
- Global Services: Microsoft Entra ID, Azure Traffic Manager, and Azure DNS
- Physical Infrastructure
- Goals
- Describe Azure regions, region pairs, and sovereign regions.
- Describe Availability Zones.
- Describe Azure datacenters.
- datacenters (reliabilty)
- grouped in (for resiliency, reliabilty)
- Regions
- geographical area
- multiple datacenters networked together with low-latency network
- geographical area
- Availabilty Zones (AZ)
- one or more physically separate datacenters (independent power, cooling, networking) within an Azure region
- Connected with high speed, private fiber-optic cable
- Minimum of three AZs available in regions with AZ
- primarily for , load balancers, and
- Zonal services: pinned to a zone (VMs, managed disks, IP adresses)
- Zone-redundant services: replicated (SQL databases)
- Non-regional services: Entra-ID, ...
- Region Pair (i.e. West US paired with East US, South-East Asia paired with East Asia)
- within the same geography at least 300 miles away
- Cope with: natural disasters, civil unrest, power outages, or physical network outages
- Updates one region at a time
- One is prioritized for extensive Azure outage
- Sovereign Regions
- isolated from the main instance
- for compliance or legal purposes
- Goals
- Management Infrastructure
- Goals
- Describe Azure resources and Resource Groups.
- Describe subscriptions.
- Describe management groups.
- Describe the hierarchy of resource groups, subscriptions, and management groups.
- Resource
- Anything you create, provision, deploy (VMs, VNs, DBs, ...)
- Resource Group
- Group resources (not nested)
- Resource can only be in one group
- Apply action or policy on resource group -> apply on all resources
- Azure Subscription
{:height 277, :width 654}- Unit of management, billing, and scale
- provides you with authenticated and authorized access to Azure products and services
- Boundaries around products, services and resources
- Billing boundary
- Access control boundary: access-management policies at the subscription level
- Separates Subscriptions based on
- Environments: Dev vs Testing
- Organizational structures: IT vs HR
- Billing: Production vs Rest
- Management Groups
- https://learn.microsoft.com/en-us/training/wwl-azure/describe-core-architectural-components-of-azure/media/management-groups-subscriptions-dfd5a108-60f31f5a.png
- organize subscriptions into containers called management groups and apply governance conditions to the management groups
- Facts
- 10,000 management groups can be supported in a single directory.
- A management group tree can support up to six levels of depth. This limit doesn't include the root level or the subscription level.
- Each management group and subscription can support only one parent.
- Goals
-
Describe Azure compute and networking services
- Goals
- Compare compute types, including container instances, virtual machines, and functions
- Describe virtual machine (VM) options, including VMs, Virtual Machine Scale Sets, availability sets, Azure Virtual Desktop
- Describe resources required for virtual machines
- Describe application hosting options, including Azure Web Apps, containers, and virtual machines
- Describe virtual networking, including the purpose of Azure Virtual Networks, Azure virtual subnets, peering, Azure DNS, VPN Gateway, and ExpressRoute
- Define public and private endpoints
-
Azure virtual machines (IaaS)
- VMs provide infrastructure as a service
- Total control over the operating system (OS).
- The ability to run custom software.
- To use custom hosting configurations.
-
Virtual machine scale sets
- group of identical, load-balanced VMs
- automatically increase or decrease in response to demand
- scale based on a defined schedule
- group of identical, load-balanced VMs
-
Virtual machine availability sets (no additional cost)
- stagger updates and have varied power and network connectivity by up to three fault domains
- update domain
- VMs that can be rebooted at the same time
- fault domain
- VMs by common power source and network switch
-
Exercise - Create an Azure virtual machine
-
az vm create --resource-group "learn-f942f893-d72a-4614-9bec-d920bd0d3c96" --name my-vm --public-ip-sku Standard --image Ubuntu2204 --admin-username azureuser --generate-ssh-keys -
az vm extension set --resource-group "learn-f942f893-d72a-4614-9bec-d920bd0d3c96" --vm-name my-vm --name customScript --publisher Microsoft.Azure.Extensions --version 2.1 --settings '{"fileUris":["https://raw.githubusercontent.com/MicrosoftDocs/mslearn-welcome-to-azure/master/configure-nginx.sh"]}' --protected-settings '{"commandToExecute": "./configure-nginx.sh"}'
-
- VMs provide infrastructure as a service
-
Azure virtual desktop
- cloud-hosted version of Windows
- connect with any devices, secure data in the cloud
- data and apps are separated from the local hardware
- user sessions are isolated in both single and multi-session environments.
-
Azure containers
- you don't manage the operating system for a container
- VMs virtualize Hardware <-> Container virtualize OS
-
Azure Container Instances (PaaS)
- upload your containers and then the service runs the containers for you
-
Azure Container Apps (PaaS)
- incorporate load balancing and scaling
-
Azure Kubernetes Service (AKS)
- orchestration service manages the lifecycle of containers
-
Azure functions
- event-driven, serverless compute option
- an event wakes the function, alleviating the need to keep resources provisioned when there are no events
- work can be completed quickly, within seconds or less.
- stateless: behave as if they restart every time
- stateful: Durable Functions - a context is passed through the function to track prior activity
-
Azure App Service
- HTTP-based service for hosting web applications, REST APIs, and mobile back ends
- automatic scaling and high availability
-
Web apps
- full support for hosting web apps
-
API apps
- REST-based web APIs by using your choice of language and framework. You get full Swagger support and the ability to package and publish your API in Azure Marketplace
-
WebJobs
- to run a program or script in the same context as a web app, API app, or mobile app
- scheduled or run by a trigger
- are often used to run background tasks as part of your application logic.
-
Mobile apps
- quickly build a back end for iOS and Android apps
- Store mobile app data in a cloud-based SQL database.
- Send push notifications.
- ...
- quickly build a back end for iOS and Android apps
-
Azure virtual networking
- Public endpoints: have a public IP address and can be accessed from anywhere in the world.
- Private endpoints: exist within a virtual network and have a private IP address from within the address space of that virtual network.
-
Isolation and segmentation
- define a private IP address space by using either public or private IP address ranges
- divide that IP address space into subnets and allocate part of the defined address space to each named subnet.
- use the name resolution service built into Azure or use either an internal or an external DNS server
-
Internet communications
- enable incoming connections from the internet by assigning a public IP
- putting the resource behind a public load balancer
-
Communicate between Azure resources
- Virtual Networks connect: App Service Environment for Power Apps, Azure Kubernetes Service, and Azure virtual machine scale sets
- Service endpoints can connect to other Azure resource types, such as Azure SQL databases and storage accounts
-
Communicate with on-premises resources
- link resources together in your on-premises environment and within your Azure subscription
- create a network that spans both your local and cloud environments
- Point-to-site virtual private network: connections are from a computer outside your organization back into your corporate network. In this case, the client computer initiates an encrypted VPN connection to connect to the Azure virtual network.
- Site-to-site virtual private networks: link your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet.
- Azure ExpressRoute: provides a dedicated private connectivity to Azure that doesn't travel over the internet. ExpressRoute is useful for environments where you need greater bandwidth and even higher levels of security.
-
Route network traffic
- Azure routes traffic between subnets on any connected virtual networks, on-premises networks, and the internet.
- Route tables allow you to define rules about how traffic should be directed
- Border Gateway Protocol (BGP) works with Azure VPN gateways, Azure Route Server, or Azure ExpressRoute to propagate on-premises BGP routes to Azure virtual networks.
-
Filter network traffic
- Network security groups are Azure resources that can contain multiple inbound and outbound security rules. You can define these rules to allow or block traffic, based on factors such as source and destination IP address, port, and protocol.
- Network virtual appliances are specialized VMs that can be compared to a hardened network appliance. A network virtual appliance carries out a particular network function, such as running a firewall or performing wide area network (WAN) optimization.
-
Connect virtual networks
- link virtual networks together by using virtual network peering
- Network traffic between peered networks is private, and travels on the Microsoft backbone network, never entering the public internet.
- Goals
-
Azure virtual private networks
-
VPN gateways
- only one VPN gateway in each virtual network
- one gateway to connect to multiple locations, which includes other virtual networks or on-premises datacenters.
- Connect on-premises datacenters to virtual networks through a site-to-site connection.
- Connect individual devices to virtual networks through a point-to-site connection.
- Connect virtual networks to other virtual networks through a network-to-network connection.
- Policy-based
- VPN gateways specify statically the IP address of packets that should be encrypted through each tunnel. This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through.
- Route-based
- IPSec tunnels are modeled as a network interface or virtual tunnel interface. IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel interfaces to use when sending each packet. Route-based VPNs are the preferred connection method for on-premises devices. They're more resilient to topology changes such as the creation of new subnets.
- Connections between virtual networks
- Point-to-site connections
- Multisite connections
- Coexistence with an Azure ExpressRoute gateway
- primary distinction between these two types is how they determine which traffic needs encryption.
-
High-availability scenarios
-
Active/standby
- gateways are deployed as two instances in an active/standby configuration, even if you only see one VPN gateway resource in Azure
-
Active/active
- assign a unique public IP address to each instance. You then create separate tunnels from the on-premises device to each IP address. You can extend the high availability by deploying an additional VPN device on-premises.
-
ExpressRoute failover
- provision a VPN gateway that uses the internet as an alternative method of connectivity
-
Zone-redundant gateways
- In regions that support availability zones, VPN gateways and ExpressRoute gateways can be deployed in a zone-redundant configuration. This configuration brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure availability zones physically and logically separates gateways within a region while protecting your on-premises network connectivity to Azure from zone-level failures. These gateways require different gateway stock keeping units (SKUs) and use Standard public IP addresses instead of Basic public IP addresses.
-
-
Azure ExpressRoute
- extend your on-premises networks into the Microsoft cloud over a private connection
- Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a colocation facility
- ExpressRoute connections don't go over the public Internet
-
Azure DNS
-
Reliability and performance
- Azure DNS uses anycast networking, so the closest available DNS server answers each DNS query
-
Security
- Azure role-based access control, Activity logs, Resource locking
-
Ease of use
- manage your domains and records with the Azure portal, Azure PowerShell cmdlets, and the cross-platform Azure CLI.
-
Customizable virtual networks with private domains
-
Alias records
-
-
-
