az-900 Flashcards
Scalability
adjust resources to meet demand. Pay for what you use.
Vertical scaling
adding more resources, add CPU or RAM to an existing server or VM to increase its capacity. (Up or Down)
Horizontal scaling (elastic scaling)
adding or removing servers or instances to handle increased load. (In & Out). Add VMs or containers. (Auto or manual)
Reliability
a system to recover from failures and continue to function
Elasticity
scale up or down their IT infrastructure to meet changing demands. (Automatic scaling)
Predictability
forecasting performance or cost.
Security
data encryption identity and access management.
Governance
teams provide oversight and monitoring features to maintain and improve security posture over time.
Manageability
managing cloud resources
Agility
cloud-based resources can be deployed and configured quickly as your application requirements change. Quickly and easily allocate and deallocate resources as needed. (Scale quickly)
Performance predictability
predict the resources needed to deliver to ensure a satisfying experience for your customers.
Cost predictability
predict the cost of the cloud spend.
Management of the cloud
managing your cloud resources.
- Automatically scale resource deployment based on need.
- Deploy resources based on a preconfigured template, removing the need for manual configuration.
- Monitor the health of resources and automatically replace failing resources.
- Receive automatic alerts based on configured metrics, so you’re aware of performance in real time.
Management in the cloud
how you’re able to manage your cloud environment & resources. You can manage these:
- Through a web portal.
- Using a command line interface.
- Using APIs. (Application programming interface)
- Using PowerShell.
IaaS
you manage Applications, runtimes, security & integration & databases, data, O/S, middleware
Region
a group of multiple datacenters (Availability zones) & will generally contain 3 AZ.
PaaS
you manage applications & data
Azure Region pairs
Most Azure regions are paired with another region within the same geography (such as US, Europe, or Asia).The paired regions are at least 300 miles apart.
Sovereign regions
Are a subset of Azure regions that are dedicated to hosting data that has specific compliance and regulatory requirements, such as data sovereignty, residency, and privacy. These regions are designed to provide additional data protection and compliance measures, including isolated network connectivity and data replication within the same geographic region.
Availability zones - Availability zones are primarily for VMs, managed disks, load balancers, and SQL databases.
a physical location made up of 1 or more data centers. Equipped with independent power, cooling, and networking. Set up to be an isolation boundary. If 1 zone goes down, the other continues working. They are connected through high-speed, private fiber-optic networks.
Azure datacenters
are unique physical buildings located all over the globe that house a group of networked computer servers.
Contains a number of physical servers with their own power, cooling, & networking infrastructure
A resource group and a resource can be in 2 different locations (T or F)
True
A resource can only be in 1 resource group. (T or F)
True
Subscription:
are a unit of management, billing, and scale, allow you to logically organize your resource groups and facilitate billing.
Billing boundary
how an Azure account is billed for using Azure. You can create multiple subscriptions for different types of billing requirements. Azure generates separate billing reports and invoices for each subscription so that you can organize and manage costs.
Access control boundary
Azure applies access-management policies at the subscription level. Allowing you to manage and control access to the resources that users provision with specific subscriptions.
Environments
create subscriptions to set up separate environments for development and testing, security, or to isolate data for compliance reasons. Resource access control occurs at the subscription level.
Organizational structures
You can create subscriptions to reflect different organizational structures. EX: you could limit one team to lower-cost resources, while allowing the IT department a full range. This design allows you to manage and control access to the resources that users provision within each subscription.
Billing
You can create additional subscriptions for billing purposes. Because costs are first aggregated at the subscription level, you might want to create subscriptions to manage and track costs based on your needs. You might want to create one subscription for your production workloads and another subscription for your development and testing workloads.
Azure management groups
manage access, policies, and compliance across multiple subscriptions. Offer a higher level of scope above individual subscriptions.
VMs (IaaS offering)
provide an abstraction layer of CPU, memory and storage.
Containers
virtualize the OS. Can quickly restart if there’s a crash or hardware interruption. Azure supports Docker.
Azure Functions (PaaS offering) a serverless solution
that allows you to write less code in the cloud w/o the need to manage the underlying servers, infrastructure or OSs.
Azure Virtual machine Scale Sets (VMSS) (IaaS offering):
create and manage a group of identical and load-balanced virtual machines.
Availability Sets (VM AS)
Ensure that VMs stagger updates and have varied power and network connectivity, preventing you from losing all your VMs with a single network or power failure.
Update domain
groups VMs that can be rebooted at the same time. Apply updates while knowing that only 1 update domain grouping will be offline at a time. All of the machines in one update domain will be updated. An update group going through the update process is given a 30-minute time to recover before maintenance on the next update domain starts.
Fault domain
groups your VMs by common power source and network switch. By default, an availability set will split your VMs across up to 3 fault domains. Helps protect against a physical power or networking failure by having VMs in different fault domains (thus being connected to different power and networking resources).
Azure Virtual Desktop (AVD)
a desktop virtualization and application virtualization service that runs on the cloud and enables users to use a cloud-hosted version of Windows (Windows 10 and 11 desktop versions) from anywhere in the world.
Containers
provide a virtualization environment where you can run multiple instances of applications on a single physical or virtual host.
Azure Container Instances (ACI) (PaaS offering)
Runs a container or pod of containers in Azure w/o having to manage any VMs.
Azure Container App (PaaS offering)
like container instances that can load balance and scale.
Azure Kubernetes Service (AKS) (PaaS offering)
Easy to deploy, manage, and scale containerized applications. Uses the open source Kubernetes (KB) software.
Azure App Service (PaaS offering):
build and host web apps, background jobs, mobile back-ends and RESTful APIs in the programming language of your choice w/o managing infrastructure.
Web Apps
hosting web apps by using ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python. You can choose either Windows or Linux as the host OS.
API Apps:
you can build REST-based web APIs by using your choice of language and framework. You get full Swagger support and the ability to package and publish your API in Azure Marketplace. The produced apps can be consumed from any HTTP- or HTTPS-based client.
WebJobs
run a program (.exe, Java, PHP, Python, or Node.js) or script (.cmd, .bat, PowerShell, or Bash) in the same context as a web app, API app, or mobile app. They can be scheduled or run by a trigger. WebJobs are often used to run background tasks as part of your application logic.
Mobile Apps:
build a backend for iOS and Android apps. With just a few actions in the Azure portal, you can:
= Store mobile app data in a cloud-based SQL database.
- Authenticate customers against common social providers, such as MSA, Google, Twitter, and Facebook.
- Send push notifications.
- Execute custom back-end logic in C# or Node.js.
Azure DNS:
a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records using the same credentials, APIs, tools, and billing as your other Azure services.
Azure Public DNS
is a hosting service for DNS domains. By hosting your domains in Azure, you can manage your DNS records by using the same credentials, APIs, tools, and billing as your other Azure services.
Azure Private DNS
is a DNS service for your virtual networks. Manages and resolves domain names in the virtual network without the need to configure a custom DNS solution.
Azure DNS Private Resolver
enables you to query Azure DNS private zones from an on-premises environment and vice versa without deploying VM based DNS servers.
Point-to-site virtual private network (P2S VPN)
connections are from a computer outside your organization back into your corporate network. In this case, the client computer initiates an encrypted VPN connection to connect to the Azure virtual network. Useful for telecommuters who want to connect to Azure VNets from a remote location, frome home or a conference.
Site-to-site virtual private networks (S2S VPN)
link your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. The devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet.
Azure ExpressRoute:
a dedicated private connectivity to Azure that doesn’t travel over the internet. Useful for environments where you need greater bandwidth and even higher levels of security.
Border Gateway Protocol (BGP)
works with Azure VPN gateways, Azure Route Server, or Azure ExpressRoute to propagate on-premises BGP routes to Azure virtual networks.
Route tables
define rules about how traffic should be directed. Create custom route tables that control how packets are routed between subnets.
Azure virtual subnets
subnets are the small networks used to divide the Virtual network into multiple small networks (sub networks) for the organization. It is a range of IP addresses in the VNet. Each network Interface Card (NIC) in a virtual machine is connected to a 1 subnet in 1 VNet. After this, we can deploy our resources into a specific subnet in the virtual network.
Virtual Network Peering (VNet Peering)
we can connect 2 VNets within Azure through a private network, we can connect over the private IP address space. Allowing you to have seamless connectivity between 2 or more VNets in Azure. No Need for a public IP address in VNet Peering.
Regional VNet peering:
connects VNets within the same Azure region.
CloudExchange colocation
your datacenter, office, or other facility being physically co-located at a cloud exchange, such as an ISP.
Global VNet peering:
connects VNets across Azure regions.
Point-to-point Ethernet connection
using a P2P connection to connect your facility to the Microsoft cloud.
Any-to-any connection
you can integrate your wide area network (WAN) with Azure by providing connections to your offices and datacenters.
Azure load balancer
even traffic distribution for non-HTTP (non-web) traffic.
Public load balancer
can provide outbound connections for virtual machines (VMs) inside your virtual network. Translating their private IP addresses to public IP addresses. Used to load balance internet traffic to your VMs.
An internal (or private) load balancer
is used where private IPs are needed at the frontend only. Used to load balance traffic inside a virtual network
Azure application gateway
even traffic distribution for HTTP (web) traffic.
Azure Content Delivery Network (CDN)
global content caching & distribution to offload web applications & reduce latency.
Azure VPN Gateway (virtual network gateway)
send encrypted traffic between an Azure virtual network and an on-premises location over the public internet.
Policy-based VPN gateway
specify statically the IP address of packets that should be encrypted through each tunnel. Evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through.
Route-based gateways
IPSec tunnels are modeled as a network interface or virtual tunnel interface. IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel interfaces to use when sending each packet. Route-based VPNs are the preferred connection method for on-premises devices. They’re more resilient to topology changes such as the creation of new subnets.
Virtual Network Gateway (VNG):
A site-to-site VPN connection between an Azure virtual network and your local network.
Public endpoints
a public IP address and can be accessed from anywhere in the world. You can access the managed instance from multi-tenant Azure services like Power BI, Azure App Service, or on-premises network. No need for VPN.
Private endpoints
a network interface that uses a private IP address from your VNet. This network interface connects you privately and securely to the service provided by Azure Private Link. By enabling a private endpoint, you are bringing the service into your virtual network.
Hot tier
storing data that is accessed frequently. Highest storage cost, lowest access cost. Ex: Images for your website.
Cool storage tier
data that is infrequently accessed and stored for at least 30 days. Lowest storage cost, higher access cost. Ex: customer invoices
Archive storage tier
data that is rarely accessed and stored for at least 180 days with flexible latency requirements. Lowest storage cost, highest access cost. Highest data retrieval & rehydration costs. Ex: long term backups.
Cold tier
An online tier optimized for storing data that is rarely accessed or modified, but still requires fast retrieval. Data in the cold tier should be stored for a minimum of 90 days. The cold tier has lower storage costs and higher access costs compared to the cool tier.
Hot and cool access tiers can be set at the account level.
True
Hot, cool, cold, and archive tiers can be set at the blob level, during or after upload
True
Locally redundant storage (LRS)
copies your data synchronously 3 times within a single physical location in the primary region. (99.999999999%) (11 nines) durability. Cheapest option. Not recommended for apps requiring high availability or durability.
Zone-redundant storage (ZRS)
Copies data synchronously across 3 AZs in a primary region. (99.9999999999%) (12 nines) durability. For applications requiring high availability, Microsoft recommends using ZRS in the primary region, and also replicating to a secondary region.
Geo-redundant storage (GRS)
copies your data synchronously 3 times within a single physical location in the primary region using LRS. Then copies your data asynchronously to a single physical location in the secondary region. Within the secondary region, your data is copied synchronously 3 times using LRS. (99.999999999%) (16 nines) of durability. GRS replicates data by storing 3 copies in each of 2 regions.
Geo-zone-redundant storage (GZRS)
copies your data synchronously across 3 Azure AZ in the primary region using ZRS. Then copies your data asynchronously to a single physical location in the secondary region. Within the secondary region, your data is copied synchronously 3 times using LRS.(99.999999999%) (16 nines) of durability.(for a total of 6 copies of your data)
Read-access geo-redundant storage (RA-GRS)
Copies data synchronously in primary region. Copies data synchronously to another region. (99.999999999%) (16 9’s) of durability.
Read-access geo-zone-redundant storage (RA-GZRS)
Copies data synchronously across 3 AZs in a physical region. Copies data synchronously to another region. (99.999999999%) (16 9’s) of durability.
Synchronously
guarantee the data is going to be there
Asynchronously
all the data might not be there
Azure Storage account (PaaS)
provides a unique namespace for your Azure Storage data that’s accessible from anywhere in the world over HTTP or HTTPS. Data in this account is secure, highly available, durable, and massively scalable
AzCopy
command line utility, use to copy blobs or files to or from your storage account. Upload files, download files, copy files between storage accounts, & synchronize files. Can upload VHD files to Azure storage accounts.
Azure Storage Explorer
a graphical interface with Azure storage data on Windows, macOS, and Linux. You can create Blob containers, upload files, create snapshots of disks, or move between storage accounts.
Azure File Sync
maintains a bidirectional synchronization of files between your on-premises and cloud Windows servers. Automatically keeps files between an on-premises Windows server and an Azure cloud environment updated.
Azure Migrate
helps you migrate from an on-premises environment to the cloud.
Azure Data Box
moves large amounts of offline data to Azure.
Disaster recovery:
restoring operations after a disaster.
Microsoft Entra ID
can authorize and authenticate to multiple sources. To your on-premises AD, web application, allow users to login with their eg. FB or Google, Office 365 or Azure.
Authentication
verify identity to access applications and resources
Microsoft Entra Domain Services
provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication.
Single sign-on (SSO)
enables a user to sign in one time and use that credential to access multiple resources and applications from different providers
MFA
prompting a user for an extra form (or factor) of identification during the sign-in process
Passwordless authenticatio
the password is removed and replaced with something you have, something you are, or something you know.
FIDO2 security keys (Fast IDentity Online)
allows users and organizations to leverage the standard to sign-in to their resources w/o a username or password by using an external security key or a platform key built into a device.
- USB devices, Bluetooth or NFC
Business to business (B2B) collaboration
Collaborate with external users by letting them use their preferred identity to sign-in to your Microsoft applications or other enterprise applications (SaaS apps, custom-developed apps, etc.). B2B collaboration users are represented in your directory, typically as guest users.
B2B direct connect
Establish a mutual, two-way trust with another Microsoft Entra organization for seamless collaboration. Supports Teams shared channels, enabling external users to access your resources from within their home instances of Teams. B2B direct connect users aren’t represented in your directory, but they’re visible from within the Teams shared channel and can be monitored in Teams admin center reports.
Microsoft Azure Active Directory business to customer (B2C)
Publish modern SaaS apps or custom-developed apps (excluding Microsoft apps) to consumers and customers, while using Azure AD B2C for identity and access management.Supports Entra & social identities.
Entra ID multi-tenant organization
collaborate with multiple tenants in a single Entra ID organization via cross-tenant synchronization. Good for conglomerates, mergers, multi-cloud, dev/test/staging tenants.
Conditional Access:
a tool that Microsoft Entra ID uses to allow (or deny) access to resources based on identity signals.
role-based access control (RBAC)
help you manage who has access to Azure resources. What they can do with those resources.
Which resources/areas they have access to.
Owner role
you can read, grant, create, update & delete
Contributor role
You can read, create, update & delete but YOU CANNOT GRANT
Reader role
Read only
User Access Administrator
You can only grant
Very Explicitly
Always authenticate and authorize based on all available data points.
Use least privilege access
Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection
Assume breach
Minimize blast radius and segment access. Verify end-to-end encryption. Use analytics to get visibility, drive threat detection, and improve defenses.
Physical security layer
first line of defense to protect computing hardware in the datacenter.
Identity & access layer
ensures identities are secure, that access is granted only to what’s needed, and that sign-in events and changes are logged.
Control access to infrastructure and change control.
Use SSO & MFA
Audit events and changes.
Perimeter layer
protects from network-based attacks against your resources. Identifying these attacks, eliminating their impact, and alerting you when they happen are important ways to keep your network secure.
Network layer
limits communication between resources through segmentation and access controls
Compute layer
secures access to virtual machines. Implement endpoint protection on devices and keep systems patched and current.
Application layer
ensure that applications are secure and free of security vulnerabilities. Store sensitive application secrets in a secure storage medium. Make security a design requirement for all application development.
Data layer controls
access to business and customer data that you need to protect.
Distributed Denial of Service Attack
a malicious attempt to disrupt normal traffic by flooding a website with large amounts of fake traffic.
Microsoft Defender for Cloud:
monitoring, assessing, and improving the security posture of your Azure resources. It continuously analyzes the security state of your Azure workloads and provides security recommendations based on best practices and industry standards. Monitors your cloud, on-premises, hybrid, and multi-cloud environments.
Continuously assess
Know your security posture. Identify and track vulnerabilities.
Secure
Harden resources and services with Azure Security Benchmark.
Defend
Detect and resolve threats to resources, workloads, and services
Overall Compliance: Regulatory Compliance
provides an overview of your organization’s compliance posture against various regulatory standards and frameworks. It gives you insights into how well your organization aligns with regulatory standards and frameworks. It gives you insights into how well your organization aligns with regulatory requirements and helps you assess your overall compliance status.
Azure Pricing Calculator
give you an estimated cost for provisioning resources in Azure. Estimate the cost of any provisioned resources, including compute, storage, and associated network costs. You can even account for different storage options like storage type, access tier, and redundancy.
TCO calculator
compare the costs for running an on-premises infrastructure compared to an Azure Cloud infrastructure. You enter your current infrastructure configuration, including servers, databases, storage, and outbound network traffic.
Cost Management:
check Azure resource costs, create alerts based on resource spend, and create budgets that can be used to automate management of resources. Helps you monitor, analyze & optimize your Azure spending. It provides cost analysis, budgeting and alerts.
Tags
are specific to individual resources and must be applied directly to each resource separately. A key and a value pair that you can assign to Azure resources.
Microsoft Purview uses
1) Risk and compliance - for risk, compliance and legal teams.
Protect sensitive data across clouds, apps, and devices.
Identify data risks and manage regulatory compliance requirements.
Get started with regulatory compliance.
Helps manage and monitor your data with Teams, OneDrive, & Exchange
2) Unified data governance - for data consumers, data engineers, data officers.
Identify where sensitive data is stored in your estate.
Create an up-to-date map of your entire data estate that includes data classification and end-to-end lineage.
Create a secure environment for data consumers to find valuable data.
Generate insights about how your data is stored and used.
Manage access to the data in your estate securely and at scale.
Data Catalog - enables data discovery.
Data Sharing - shares data within and between organizations.
Data Estate Insights - accesses data estate health.
Data Policy – governs access to data.
Azure Policy
allows you to enforce and assess compliance with organizational standards and best practices across your Azure environment. It provides a centralized way to define and enforce policies that govern resource configurations and deployments.
Policy Initiative
a group of policy definitions. (group related policies together)
