AZ-900 Syllabus Outline Course Structure

Introduction to the Course

Section 1 - 2
Getting Started with Azure

Describe cloud concepts (25–30%)

Describe cloud computing
Describe the benefits of using cloud services Section 3 - 5
Describe cloud service types

Describe Azure architecture and services (35–40%)

Describe the core architectural components of Azure
Describe Azure compute and networking services
Describe Azure storage services Section 6 - 9
Describe Azure identity, access, and security

Describe Azure management and governance (30–35%)

Describe cost management in Azure
Describe features and tools in Azure for governance and compliance
Describe features and tools for managing and deploying Azure resources Section 10 - 13
Describe monitoring tools in Azure
How to get most out of this course?
• Watch all videos

• Adjust playback speed

• Create a study schedule

• Get Hands-on

• Divide course into chunks and set achievable goals

• Download course slides and take notes

• Refer additional reference material

• Revise using exam key points videos for each section

• Practice with Mock tests in exam simulator!

Azure: Brief History
Azure History

Microsoft
• Windows OS

• Office applications

Microsoft Azure
• Internal cloud initiative ‘Project Red Dog’ in 2008

• Commercially released as ‘Windows Azure’ in 2010

• Early reviews after 2010 release were mixed

• Limited documentation

• Difficult to use web UI

• In 2014, new Azure portal with enhanced UI

• Rebranded as ‘Microsoft Azure’ in 2014

• In 2019, more than 160 services with more announced each year
Azure Customers

• More than 90% of Fortune 500 companies

• Thousands of new customers per month

• Azure skills

• Attachment to Microsoft environment

Azure Customers

Some well known Azure customers

• Rolls Royce

• GE

• Flipkart

• Ebay
https://azure.microsoft.com/en-in/case-studies/
• Samsung

• Dell

• Johnson Controls

• And more

Second largest public cloud provider after AWS

What is Cloud Computing?
 What is cloud ?

“Virtual Machines”
“Azure”

“Machine Learning”
“On-premise”

“Public Cloud”
“Hybrid Cloud”
“GCP”
“Self hosting”

“Software as a service”

“AWS”
“Infrastructure as a service”
“Platform as a service” “Pay-as-you-go”
“Serverless Computing” “Edge Computing”
 Simple Web Architecture

Desktop Client

Internet

www.example.com

Mobile Client
 Simple Web Architecture

Desktop Client

Web Server Database Server

Internet

Mobile Client
Website Backend
On-Premise Infrastructure
On-Premise Infrastructure

• Controlled badge access

• Physical server, networking and storage

equipment

• High speed internet connection

• Server and room temperature control

• Networking, database, security experts

• Software installation
Expectation vs Reality: On-Premise Infrastructure
What is Cloud?
• Data center
infrastructure managed by "Cloud
Providers"

• Compute, storage, database, and

more

• Services like Virtual Machine,

Relational Database, File Storage

• Host a web app, big data analytics

• Good for start-ups – no collateral

damage on failure

• Scalability for large enterprises

What is Cloud?
• Data center
infrastructure managed by "Cloud
Providers"

• Compute, storage, database, and

more

• Services like Virtual Machine,

Relational Database, File Storage

• Host a web app, big data analytics

• Good for start-ups – no collateral

damage on failure

• Scalability for large enterprises

Simple Web Interface to Cloud Services
Formal Cloud Computing Definition

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
 Key Cloud Characteristics

On-Demand Self Broad Network Resource Rapid Measured

Service Access Pooling Elasticity Service
Cloud vs On-Premise
 Cloud vs On-Premise

Cost of ownership
• Cloud: no upfront cost, pay as per usage
• On-premise: buy and upgrade hardware, floor space, power, cooling, physical security, maintenance staff

Control
• Cloud: controls your app and data
• On-premise: organization has complete control of their data (data remains on-premise)

Security
• Cloud: large security teams, responsible for patching and protecting infrastructure
• On-premise: organization needs to regularly patch systems, smaller security staff and budget, compliance
 Cloud vs On-Premise

Provisioning/Setup
• Cloud: easy to setup infrastructure with few clicks
• On-premise: takes significant time, money and resources for initial setup

Growth/Scalability
• Cloud: easy to scale up or down based on demand, automatic/programmatic scaling
• On-premise: new physical servers need to be added, might take weeks

Availability/Fault tolerance
• Cloud: replication at user data and infrastructure level
• On-premise: organizations need to handle back-up and redundancy for failures and natural disasters
Shared Responsibility Model
Shared Responsibility Model
 Best Practices

For Providers For Consumers

• Transparency • Understanding the Model
• Security Features • Regular Audits
• Compliance Assistance • Training and Awareness
• Access Management
• Data Protection
Types of Cloud
 Types of Cloud

Public Private Hybrid Multi

Managed by cloud Exclusively by one Combines private and Use of multiple public
service providers like organization public cloud clouds
Azure, AWS

Characteristics Characteristics Characteristics

Characteristics • Dedicated • Dual Environment • Vendor Flexibility
• Shared Resources Resources • Edge Computing • Performance
• Scalability • Customizability • Scalability • Cost Management
• Cost-effectiveness • Enhanced security • Cost • Improved
• Maintenance Resilience

Concerns Concerns
Concerns Concerns • Integration • Complex
• Security • Cost • Data Management Management
• Data Sovereignty • Management • Data Security
 Types of Cloud

Public Private Hybrid Multi

Use Cases Use Cases Use Case Use Cases

• Web-based • Government • Regulatory • Innovation
applications agencies compliance
• Disaster Recovery
• Development and • Financial • Disaster recovery
testing Institutions
• Low latency Edge
environments
• Healthcare Computing
• Big Data processing
• Internal Large
Enterprise Apps
Consumption-Based Model
 Consumption-Based Model
Traditional Model Consumption-Based Model

• Purchase resources ahead of time • Operates on pay-as-you-go basis

• Involves high CAPEX • Capacity dynamically scales with usage

• Often leads to unused/wasted resources • Involves efficient OPEX

• Optimize resource usage and cost

 Consumption-Based Model Benefits

✓ Cost Efficiency

✓ Scalability

✓ Budget Control and Transparency

✓ Reduced Risk and Flexibility

Example: Major sale event at an E-commerce company

Cloud Pricing Models
 Cloud Pricing Models

Pay-as-you-go Reserved Instances Spot Instances

• Aligns with consumption- • Customers who can predict • Maximum discounts up to

based model their long-term needs 90%
• Pay only for resources you • Up to 75% savings with 1- or • Use spare cloud capacity
use. Example: time for which 3-year term contracts when available, but can be
VM is running reclaimed at any time

Benefits
Benefits Benefits
• Significant Savings
• Flexibility • Maximum Savings
• Predictable Workloads
• Cost Control • Batch processing
• Budgeting
• Scalability

Use Case
Use Case
Use Case • Media company rendering a
• Financial Institution running video
• Startup predictable workload
Cloud Market Share
Public Cloud Market Share

https://www.statista.com/statistics/967365/worldwide-cloud-infrastructure-services-market-share-vendor/
 Important
Points to 1. Define Cloud Computing

Remember for ✓ Cloud computing provides access to on-demand computing resources over the
AZ-900 exam internet. Cloud providers manage the physical infrastructure
✓ Resources in cloud computing include servers, storage, databases, networking,
software, and analytics.
✓ It offers scalability, flexibility, and cost-efficiency.
✓ Organizations can scale their computing resources dynamically based on demand.
✓ Clients only pay for the resources they consume (operational expenditure). It
eliminates the need for upfront capital investments in hardware.

Describe cloud
computing
 2. Shared Responsibility Model
Important
Points to ✓ Security and responsibilities are shared between the cloud provider and the
customer.
Remember for ✓ Cloud providers handle physical infrastructure security, network, and hypervisor.
AZ-900 exam ✓ Customers are responsible for securing their data, applications, and operating
systems. The model differs based on the service type (IaaS, PaaS, SaaS).
✓ In IaaS, customers manage the operating system and applications.
✓ In PaaS, customers manage applications and data, the provider manages the
platform.
✓ In SaaS, the provider manages everything except customer data and access
management.
✓ Understanding the shared responsibility model is crucial for maintaining security
and compliance.

Describe cloud
computing
 3. Define cloud models, including public, private, and hybrid
Important
Points to ✓ Public Cloud:
✓ Resources are owned and managed by a third-party provider.
Remember for ✓ Public Cloud services are accessible over the internet and offer scalability.
AZ-900 exam ✓ Public Clouds typically use a pay-as-you-go pricing model
✓ Private Cloud:
✓ Exclusively used by one organization, offering more control and security.
✓ Private Clouds can be on-premises or hosted by a third party.
✓ Hybrid Cloud:
✓ Combines public and private clouds for flexibility and optimized performance.
✓ Hybrid Clouds allow data and applications to be shared between private and
public environments.
✓ Hybrid Clouds are ideal for organizations needing to meet regulatory and
compliance requirements.

Describe cloud
computing
 4. Cloud Model Use Cases
Important
Points to ✓ Public Cloud:
✓ Suitable for scalable and flexible resource needs without high security
Remember for requirements.
AZ-900 exam ✓ Good for varying workloads and cost management, like for web-based
applications, storage, and backup.
✓ Private Cloud:
✓ Ideal for organizations with strict compliance and security needs.
✓ Used for hosting sensitive data and critical applications by financial institutions,
healthcare, and government agencies
✓ Hybrid Cloud:
✓ Best for balancing security, control, and cost-efficiency.
✓ Allows leveraging existing infrastructure while extending capabilities with public
cloud.

Describe cloud
computing
 Important
Points to 5. Consumption-Based Model
Remember for
✓ Customers are billed based on their actual usage of resources.
AZ-900 exam ✓ This Pay-as-you-go model aligns costs with usage.
✓ Ideal for businesses with variable workloads.
✓ Eliminates the need for upfront investments in hardware.
✓ Reduces waste and improves cost efficiency as it supports scalability and dynamic
resource allocation.
✓ Helps in optimizing operational expenses over capital expenses.

Describe cloud
computing
 6. Compare cloud pricing models
Important
Points to ✓ Pay-as-you-go:
✓ Billed based on actual usage, flexible and cost-efficient.
Remember for ✓ Pay-as-you-go offers scalability and cost management.
AZ-900 exam ✓ Reserved Instances:
✓ Long-term commitment with discounted rates, suitable for predictable
workloads.
✓ Reserved Instances provide significant savings for long-term usage
✓ Spot Instances:
✓ Spare capacity at reduced rates, suitable for flexible, non-critical tasks.
✓ Spot Instances can save up to 90% for interruptible workloads
✓ Choosing the right pricing model depends on workload patterns and business
needs.

Describe cloud
computing
 Cloud Benefits
High Availability and Scalability
 Availability

• Continuous functioning of services

• Measured as percentage

• Increase availability through redundancy to

ensure continuity

• Example: Automatic failover during outage

• Guaranteed by Service Level Agreements

(SLA)
 Scalability

• Ability to handle increased workload

• Unlike on-premise, cloud provides easy way to add

resources when demand increases

• Types of scalability:
• Vertical
• Horizontal

• Vertical Scalability - increasing capacity of the existing

resource

• Horizontal Scalability - adding units to distribute load

• Unlimited horizontal scaling

 Cloud Benefits
Reliability and Predictability
 Reliability

• Means recover from failures and continuous

operation

• How does cloud provider achieve it?

• Decentralized Global Architecture
• Redundant Systems and Backup
• Automated Failover to other regions and
Disaster Recovery
 Predictability

• Cloud provides predictable cost and ensures consistency

• How does cloud provider achieve it?

• Pay-as-you-go Pricing
• Cost Management Tools
• Budget Management
• Predictable Performance
 Cloud Benefits
Security and Governance
 Security

• Security of customer data, applications and

cloud infrastructure

• How does cloud provider achieve it?

• Multi-layered Defenses
• Data Encryption
• Regular Security Updates and Patching
• Threat Detection and Monitoring
• Compliance with Security Standards like
GDPR, HIPAA, etc.
 Governance

• Maintain control how cloud resources are

accessed

• How does cloud provider achieve it?

• Policy Based Management
• Role Based Access Control (RBAC)
• Centralized Management
• Resource Optimization
• Automation and Self-Service
Cloud Benefits
Manageability
 Manageability

• How easy is it to control, monitor and

maintain your resources in cloud

• How does cloud provider achieve it?

• Simplified Resource Management
• Monitoring and Alerting
• Automation and Scaling
• Configuration Management
• Cost Management
 1. High Availability and Scalability
Important
✓ High availability ensures continuous operation and minimal downtime by using
Points to redundant components (replicating resources across multiple regions or zones) to
Remember for avoid single points of failure
✓ High availability prevents financial losses by ensuring continuous service and
AZ-900 exam uninterrupted revenue generation
✓ Scalability allows for manual and automatic adjustments of resources to handle
increasing or decreasing workloads efficiently
✓ Horizontal scaling involves adding more instances or servers to a system to
distribute the load, improving performance and resilience
✓ Vertical scaling involves upgrading existing resources, such as increasing CPU or
RAM, to handle more significant workloads
✓ Elasticity refers to the dynamic adjustment of resources based on real-time demand,
optimizing performance and cost

Benefits of
Cloud Computing
 Important
2. Reliability and Predictability
Points to
Remember for ✓ Reliability ensures consistent performance and quick recovery from failures,
enhancing the overall trustworthiness of the cloud service
AZ-900 exam ✓ Disaster recovery ensures minimal downtime and data loss by leveraging backups
and replication across multiple regions
✓ Predictability involves accurately forecasting future costs, ensuring consistent
performance, scalability, and efficient resource allocation.
✓ It helps organizations plan their budgets and avoid unexpected charges
✓ Fault tolerance minimizes the impact of individual component failures, ensuring
continued operation

Benefits of
Cloud Computing
 Important 3. Security and Governance
Points to
✓ Cloud providers offer regular updates and patches to address vulnerabilities and
Remember for enhance security
AZ-900 exam ✓ Centralized management and monitoring streamline the security process and
facilitate threat detection and response
✓ Cloud services adhere to industry-standard compliance frameworks, such as ISO
27001, HIPAA, and GDPR, ensuring robust security and privacy
✓ Users retain full control over their data, managing access and implementing security
measures like encryption without Azure personnel interference
✓ Azure's integrated security features reduce the need for specialized expertise and
simplify complex security management tasks

Benefits of
Cloud Computing
 Important 4. Manageability in Cloud
Points to
✓ Manageability in the cloud includes managing the cloud and managing in the
Remember for cloud, ensuring efficient operations and resource utilization
AZ-900 exam ✓ Management of the cloud involves administrative tasks like performance
monitoring, security compliance, and resource management, ensuring optimal
operations
✓ Programmatically creating or terminating virtual machines using command-line
scripts exemplifies enhanced manageability within the cloud
✓ Automated scaling (auto-scaling) allows for dynamic adjustment of resources based
on real-time demand, optimizing performance and cost
✓ Cloud services provide tools for monitoring and managing costs, helping
organizations plan budgets and avoid unexpected expenses

Benefits of
Cloud Computing
Cloud Service Types
 Cloud Service Types

• Infrastructure as a Service (IaaS)

• Platform as a Service (PaaS)

• Software as a Service (SaaS)

‘What you manage and what the cloud provider manages’

 Cloud Service Types: IaaS, PaaS and SaaS

On-premise

Data

Application

Runtime

OS
You manage

Virtualization

Servers

Storage

Networking

Facilities

‘What you manage and what the cloud provider manages’

Infrastructure as a Service (IaaS)
 Infrastructure as a Service (IaaS)

On-premise Infrastructure as a Service

(IaaS)

Data Data

You manage
Application Application

Runtime Runtime

OS OS
You manage

Virtualization Virtualization

Cloud provider manage

Servers Servers

Storage Storage

Networking Networking

Facilities Facilities
 Infrastructure as a Service (IaaS)

IaaS Service Example

• Virtual Machine Service in Cloud

• Who manages what?

• Cloud provider manages the physical server and
networking, and provides you OS
• You manage everything above the OS

IaaS Typical Use Cases

• ‘Lift and Shift’ Migration

• Test and Development Environment

• Storage, Backup and Disaster Recovery

• Web Application Hosting

Platform as a Service (PaaS)
 Platform as a Service (PaaS)

On-premise Infrastructure as a Service Platform as a Service

(IaaS) (PaaS)

You manage
Data Data Data

You manage
Application Application Application

Runtime Runtime Runtime

OS OS OS

Cloud provider manage

You manage

Virtualization Virtualization Virtualization

Cloud provider manage

Servers Servers Servers

Storage Storage Storage

Networking Networking Networking

Facilities Facilities Facilities

 Platform as a Service (PaaS)

PaaS Service Example

• Azure SQL Database,

• Azure App Service, etc. Azure App Service Azure SQL Database

PaaS Typical Use Cases

• Developing Cloud Native Applications

• Analytics and Business Intelligence

• Rapid Application Development

Software as a Service (SaaS)
 Software as a Service (SaaS)

On-premise Infrastructure as a Service Platform as a Service Software as a Service

(IaaS) (PaaS) (SaaS)

Data

You manage
Data Data Data

You manage
Application Application Application Application

Runtime Runtime Runtime Runtime

Cloud provider manage

OS OS OS OS

Cloud provider manage

You manage

Virtualization Virtualization Virtualization Virtualization

Cloud provider manage

Servers Servers Servers Servers

Storage Storage Storage Storage

Networking Networking Networking Networking

Facilities Facilities Facilities Facilities

Software as a Service (SaaS)
 Cloud Service Types

On-premise Infrastructure as a Service Platform as a Service Software as a Service

(IaaS) (PaaS) (SaaS)

Data

You manage
Data Data Data

You manage
Application Application Application Application

Runtime Runtime Runtime Runtime

Cloud provider manage

OS OS OS OS

Cloud provider manage

You manage

Virtualization Virtualization Virtualization Virtualization

Cloud provider manage

Servers Servers Servers Servers

Storage Storage Storage Storage

Networking Networking Networking Networking

Facilities Facilities Facilities Facilities

 1. Infrastructure as a Service (IaaS)
Important
Points to ✓ IaaS provides virtualized computing resources over the internet, including virtual
machines, storage, and networks
Remember for ✓ Customers are responsible for managing the operating system, applications, data,
AZ-900 exam and middleware
✓ IaaS offers high flexibility and control over the infrastructure compared to other
models
✓ Examples of IaaS include Azure Virtual Machines and Azure Virtual Networks
✓ Ideal for lift-and-shift migrations, testing, and development environments
✓ Allows organizations to avoid the costs and complexities of managing physical
servers
✓ Customers must handle security tasks such as patching the OS and securing
applications

Cloud Service Types

 2. Platform as a Service (PaaS)
Important
Points to ✓ PaaS provides a platform allowing customers to develop, run, and manage
applications without handling the underlying infrastructure
Remember for ✓ The cloud provider manages the underlying hardware, servers, middleware, and
AZ-900 exam operating system
✓ Examples of PaaS include Azure App Service and Azure SQL Database
✓ PaaS is suitable for application development, reducing development time and
minimizing OS management efforts
✓ Offers development frameworks, middleware, and database management systems
✓ Customers are responsible for application data management, code updates, and
user access configuration
✓ PaaS solutions often include tools for version control and seamless integration with
other cloud services

Cloud Service Types

 3. Software as a Service (SaaS)

Important ✓ SaaS provides complete, fully managed applications accessible over the internet,
eliminating the need for users to manage the underlying infrastructure
Points to ✓ The service provider handles all aspects of the software, including maintenance,
Remember for updates, and security
✓ Examples of SaaS include Microsoft Office 365, Microsoft Dynamics 365, and
AZ-900 exam Outlook
✓ Customers access SaaS applications through a web browser or application interface
on a subscription basis
✓ SaaS solutions minimize the management responsibility of the customer
✓ Users are responsible for managing their data and user-specific configurations
within the application
✓ The cloud provider ensures scalability, availability, and security of the SaaS
applications
✓ SaaS is ideal for businesses looking to use powerful software without worrying
about infrastructure maintenance
Cloud Service Types
 4. Use Cases for IaaS, PaaS and SaaS

✓ IaaS:
Important ✓ IaaS is suitable for lift-and-shift migrations, testing and development
Points to environments, and scenarios requiring high control over the infrastructure
✓ IaaS is ideal for running legacy applications that require direct interactions with
Remember for the operating system, such as those needing Windows Registry access
AZ-900 exam ✓ IaaS allows businesses to replicate on-premises environments in the cloud
while maintaining existing configurations
✓ PaaS:
✓ PaaS is suitable for developing custom applications and handling application
data management and user access
✓ PaaS solutions like Azure App Service enable automatic scaling and efficient
deployment of web applications
✓ SaaS:
✓ SaaS is best for accessing fully managed applications without worrying about
underlying infrastructure and software maintenance
✓ SaaS solutions are perfect for using software applications on a subscription
Cloud Service Types basis, providing flexibility and ease of use
Azure Operating Hierarchy

Azure Account

Subscriptions

Resource Groups

Resources
Azure Physical Infrastructure
Physical Instructure

Server Room

Azure Data Center Location

Disaster Recovery

Proximity to Users
Azure Regions
• Geographical Proximity
• Data Residency and
compliance
• Availability Zones
• Pricing
Azure Sovereign Regions
 Azure Sovereign Regions

• Isolated from main Azure cloud

• Compliance and regulatory requirements

• Physically and logically isolated

US Government
• Only US Government (federal and state) and its partners can use it
• Operated and screened by US Personnel
• Special portal: https://portal.azure.us

China
• Data centers not maintained by Microsoft
• Maintained by 21Vianet
• Special portal: https://portal.azure.cn
Azure Availability Zones
 Azure Availability Zones
• Your data should be protected in case of server failures

• For On-prem:
• Additional backup hardware
• Primary and secondary locations should be miles apart

• In Azure, Availability Zones ensure fault tolerance within a region

Azure Availability Zones

Azure Region

Availability Zone 1 Availability Zone 2

Datacenter Datacenter Datacenter Datacenter

Availability Zone 3

Datacenter Datacenter
Azure Region Pair
Azure Region Pair

Azure Region

Availability Zone 1 Availability Zone 2

Datacenter Datacenter Datacenter Datacenter

Availability Zone 3

Datacenter Datacenter
 Azure Region Pair

Geography

Pairing

East US West US
 Azure Region Pair Key Points
• Predetermined Region Pair

• Distance between regions

• Data Residency

• Unidirectional vs Bidirectional

• Azure Updates
 Azure Resilience Summary

• Data center down → Other Data center within an AZ

• If AZ goes down → Other AZs within a region

• If a region goes down → paired region is the fallback

Resource and Resource Groups
 Azure Resources

• Fundamental building
block in Azure

• Resource created in a
region, based on:
• Pricing
• Latency
• compliance
 Resource Group

• Logical container for your resources

• Resource must belong to a resource group

• Policy applied to resource group is inherited by all

resources

• Best practice – group resources that share same

lifecycle
 Resource and Resource Group Key Points
• Resource can exist in only one resource group

• Add, remove or move resources in resource group

• Resource group can have different location (region) separate from

individual resources within it

• Resource groups cannot be nested

• Actions are inherited

• Interactions between different resource groups

• Tags

• Permissions with RBAC

Azure Subscription
 Azure Subscription

• Unit of billing and management

• Billing Boundary:
• Separate payment method
• Manage cost for different departments

• Access Control Boundary:

• Policies inherited by resource group
and resources
• Reflect organization structure

• Account can contain multiple subscriptions,

subscription can belong to just one account

• What if your corporation expands?

Azure Management Groups
 Azure Management Groups

Root • Organize subscriptions

Management
Group
• Flexible management hierarchy
providing unified policy and
access management
Marketing
IT Management
Management
Group • Common use case with Azure
Group Policy and RBAC

Policy • Few key points:

• Scale – 10000 per directory
R&D Production
Management Management • Hierarchy depth
Group Group • Parent-child relationship
Dev/Test Apps
• Nesting
Subscription Management • Inheritance
Group • RBAC

• Enhanced governance and

security
Free Trial Paid Pay-as-you-go
Subscription Subscription Subscription
Resource Management Best Practices
 Resource Management Best Practices in Azure

Logically Grouping Resources

• By functionality, project or environment

Consistent Naming Convention

• Help identify resource, purpose and relationship to other resources. Example: prod-SQL-EastUS-1

Tags
• Categorize resources by criteria to provide quick insights. Useful for cost management

Resource Locks
• Prevent accidental deletion or modification. Example: Read-only and delete locks

Role Based Access Control (RBAC)

• Principle of least privilege and continuously review and update permissions

Continuous Monitoring and Governance

• Azure Policy and tools like Azure Monitor & Azure Advisor
 1. Azure Regions, Sovereign Regions and Region Pair

✓ Azure Regions
✓ Azure regions are a set of datacenters deployed within a latency-defined
Important perimeter and connected through a dedicated regional low-latency network
Points to ✓ Azure regions are designed for specific geographical locations and are used to
deploy Azure resources closer to users to reduce latency
Remember for ✓ Resources can be deployed across multiple regions to ensure higher availability
AZ-900 exam and resilience
✓ Services may not be uniformly available in all regions due to regulatory,
infrastructure, and demand considerations
✓ Region Pair
✓ A region pair consists of two regions within the same geography to provide
disaster recovery and high availability
✓ Each region in a pair is configured to ensure that both regions are not affected
by updates or disasters simultaneously
✓ Sovereign Regions
✓ Sovereign regions are specialized regions that meet compliance and regulatory
requirements specific to certain countries or regions
Azure Core Architectural
✓ Examples of sovereign regions include Azure Government (US) and Azure
Components China, operated by 21Vianet
 Important 2. Azure Availability Zones
Points to
✓ Availability Zones are unique physically separate locations within an Azure region
Remember for ✓ Each zone consists of one or more datacenters with independent power, cooling,
AZ-900 exam and networking
✓ Availability zones facilitate redundancy within a single region but for full
redundancy, resources must be spread across multiple regions
✓ Using availability zones can help achieve higher availability by minimizing the
impact of localized failures
✓ Azure guarantees a 99.99% VM uptime SLA when using availability zones
✓ Availability Zones protect applications and data from datacenter failures
✓ Not all regions have availability zones; regions with availability zones must have at
least three zones

Azure Core Architectural

Components
 Important 3. Azure Datacenters
Points to ✓ Azure datacenters are located around the world and grouped into regions for
Remember for better performance and compliance
✓ Datacenters are physical facilities that house networking, computing, and storage
AZ-900 exam resources for Azure services
✓ Each datacenter is equipped with its own power, cooling, and networking
infrastructure to ensure operational independence
✓ Azure datacenters undergo rigorous third-party audits to meet various international
security and compliance standards
✓ Deploying resources in datacenters geographically close to users reduces latency
and improves performance
✓ Azure regions with multiple datacenters ensure data redundancy and high
availability

Azure Core Architectural

Components
 4. Azure Resources and Resource Groups
Important
Points to ✓ Resource groups are logical containers that hold related Azure resources for better
management and deployment
Remember for ✓ Resources cannot belong to multiple resource groups simultaneously; they must be
AZ-900 exam assigned to a single resource group
✓ Resources within a resource group do not need to reside in the same region
✓ Resource groups support role-based access control (RBAC), enabling permissions to
be applied at the group level
✓ Resources can be moved between resource groups and subscriptions
✓ Resource groups simplify the application of policies and tagging to all resources
within the group
✓ Deleting a resource group deletes all resources within it
✓ Tags assigned to resource groups do not automatically apply to resources within
them

Azure Core Architectural

Components
 5. Azure Subscriptions
Important
✓ A subscription is a logical unit that manages Azure resources and links them to an
Points to Azure account for billing and access control
Remember for ✓ Subscriptions are fundamental units for tracking resource usage and implementing
governance policies
AZ-900 exam ✓ Multiple subscriptions can be created under one Azure account for better
organization and cost management
✓ Each subscription has its own billing, usage, and access control policies
✓ Subscriptions can be used to allocate resources and budgets to different projects or
departments within an organization
✓ Resources can be moved between subscriptions but merging subscriptions is not
possible
✓ There is no limit to the number of subscriptions a single Azure account can have
✓ Subscriptions can be organized into management groups for hierarchical
management and policy enforcement
Azure Core Architectural
Components
 6. Azure Management Groups
Important
✓ Management groups allow for the hierarchical organization of multiple
Points to subscriptions for centralized management and policy enforcement
Remember for ✓ Management groups help enforce uniform policies, ensuring regulatory compliance
across the enterprise
AZ-900 exam ✓ Management groups support efficient management of access control across
multiple subscriptions
✓ Policies, permissions, and compliance settings applied to a management group are
inherited by all subscriptions and resources within that group
✓ Subscriptions and other management groups can be included within a
management group but not resources directly
✓ Management groups can be nested up to six levels deep, excluding the root level
and subscription level
✓ Using management groups, organizations can streamline processes for access
control, billing, and compliance
Azure Core Architectural
Components
 7. Azure Operating Hierarchy (Management groups, subscriptions, etc.)
Important
✓ Azure supports a hierarchical structure for organizing resources: Management
Points to Groups > Subscriptions > Resource Groups > Resources
Remember for ✓ Management groups are at the top of the hierarchy and can include multiple
subscriptions
AZ-900 exam ✓ Subscriptions contain one or more resource groups and serve as the billing and
access control boundary
✓ Resource groups are containers that hold related Azure resources for management
and deployment
✓ Each resource must belong to a single resource group and cannot span multiple
groups
✓ Policies and permissions applied at higher levels in the hierarchy are inherited by
lower levels
✓ Hierarchical organization helps in managing large-scale Azure environments with
consistent governance and compliance
Azure Core Architectural
Components
Azure Compute Services
 What are Compute Services?

• Processing power to run application and

execute code

• Includes processors, disks, memory, etc.

• All applications needs compute power to

execute code to perform task

• Compute services in cloud are on-demand

 Azure Compute Services

Virtual Machine Azure Azure App Azure Function

Virtual Machine
Scale Sets Containers Service App
(ACI & AKS)
Azure Virtual Machine (VM)
 Azure Virtual Machine (VM)

Azure Portal
Internet
Azure CLI
OS
SDK CPU
Memory

ARM Storage
Applications

Your Azure Virtual Physical Server Racks

Access Your VM
Machine in Azure Data Center
 Benefits of Azure Virtual Machines

Complete Control
• Configure the VM (hardware and software) to your need to run your custom applications

Scalability
• Scale up (increase the VM size) or scale out (increase the number of VMs)

Customization with Templates

• Pre-configured templates with OS and additional software

Cost Efficiency
• No need to maintain expensive data centers with physical servers

Security
• Control access to your VM and monitor activity

Hybrid Flexibility
• Seamlessly connect with your existing on-premise infrastructure
Concept of Load Balancing
Normal Access Scenario

Access the app

App
via internet
User

Virtual Machine
running your
App Website
User
Increased Traffic - Need for Load Balancing

App
User

Increased Traffic to
your website

App
User
Virtual Machine
cannot handle
overload

App
User

...
Load Balancing

App
User

Increased Traffic to
your application

Load Balancer
App
User

App
User

... Configure
Additional VMs
Azure VM Scale Sets
Azure VM Scale Sets

• Autoscaling based on
demand

• Cost efficient and pay what

App you use
User

Dynamic Traffic to • Identical VMs running same

your application
code
App
User • Azure handles
configuration changes

• Scale up or scale out, able

VM Scale Sets to create multiple scale sets
App
User

• Integrated Load Balancing

... feature
Azure VM Availability Sets
 Without Availability Sets

Data Center

VM 1

VM 2

VM 3
 Power Failure Scenario

Data Center

VM 1

VM 2

VM 3
Azure Availability Sets

Data Center

Fault Domain 1 Fault Domain 2

Server Rack Server Rack

VM1 VM2
UD #1 Availability Set 1 UD #2
• Fault Domain

VM3
UD #3
VM4
UD #4
• Update Domain
Availability Set 2

VM5 VM6
UD #5 UD #1
Azure Virtual Desktop
 Azure Virtual Desktop

Azure Cloud

Virtual • Virtualization of the Entire Desktop Environment

Desktop

• Flexible Remote Work Solutions

• Access from Any Device

• Enhanced Security
Protected Workspace
managed by • Cost-effective solution
enterprise
• Scalability and Flexibility

• Separation of Apps and Data from Local Hardware

(Legacy software)
Personal Unsecured
Computer
What are Containers?
 Microservice Architecture

Inventory Discount
Service Service

Entire Application
Code
Cart Notification
Service Service
API

Shipping
Order
Service
Service
VM 1

Monolithic Microservice
Architecture Architecture
Containers

Virtualization: Packages app with OS, libraries, and

software into one unit.

Resource-Efficient: Shares host OS kernel; more efficient

than VMs.

Lightweight: No need to manage OS; quick startup and

scaling.

Process Isolation: Runs multiple containers side by side

securely.

Microservices: One microservice per container; simplifies

deployment and scaling.

Optimized: Multiple containers on one VM, ideal for

microservices architecture.
Containers in Azure
 Container Services in Azure

Azure Container Azure Container Azure Kubernetes

Instances (ACI) Apps Service (AKS)

• Simple and quick deployment • Containers without management • Enterprise-grade container

overhead orchestration
• Platform as a Service
• Auto-scaling and load balancing • Advanced management features
• Ideal for beginners
• Offers elastic environment • Open source

• Complex workload at scale

Azure App Service
Azure App Service

Platform as a Service Offering: Fully managed

environment to focus solely on the code.

Deployment: Package code and upload to Azure. Azure

manages everything else (even the operating system).

Different types of Supported Applications: Web apps,

web jobs, mobile apps, API apps.

Built-in Mobile App Features: user authentication and

push notification built-in features.

CI/CD: Integrates seamlessly with GitHub, DevOps and

other CI/CD solutions.

Autoscaling: auto-scale based on demand to optimize cost

of resources
Azure App
Service
What is Serverless?
Application Architecture

API Web Database

Server Server Server
Mobile/Web
application

Azure VM Azure VM Azure VM

Application Architecture - Scaling

API Web Database

Server Server Server
Mobile/Web
application

VM Scale Sets VM Scale Sets VM Scale Sets

Application Architecture - Serverless

API Web Database

Server Server Server
Mobile/Web
application

API Management Azure Functions Cosmos DB

What are Azure Functions?
Azure Functions
• Run code on demand

• No management of underlying infrastructure

 Triggers

Trigger Azure Function

• Each Azure function has exactly one trigger

• Common types:
• HTTP Trigger
• Timer Trigger
• Blob Storage Trigger
• Queue Trigger

https://docs.microsoft.com/en-us/azure/azure-functions/functions-triggers-bindings
 Input and Output Bindings

Input Binding

Trigger Azure Function

Output Binding

• Bindings: Declarative way of connecting services/resources with azure functions

• Binding types:
• Input Binding
• Output Binding
Things to Remember about Triggers and Bindings

• Azure function can have zero or more bindings

• Azure function must have exactly one trigger

• Triggers and bindings reduces boiler plate code

https://docs.microsoft.com/en-us/azure/azure-functions/functions-triggers-bindings
Benefits of Azure Functions
Benefits of Azure Functions

Simplified Programming Model

• Easily run small pieces of code in cloud
• Eliminate boiler plate code

Choice of Language
• C#, Java, JavaScript, Python and others
• Code each module in different language

Pay-per-use Pricing Model

• Only pay for the time the code runs
• Quickly create prototypes at low cost
Benefits of Azure Functions

Bring Your Own Dependencies

• NPM, NuGet and other other package managers

Scales Automatically
• Parallel invocation to meet demand

Open Source Code

• Contribute by suggesting changes or additional features

Docker Runtime
• Run function runtime in docker on premise or in other clouds

Serverless!!!
 Azure Compute Services

• Azure Virtual Machine

Azure Virtual Machine
• Virtual Machine Scale Sets (VM)

• Azure Containers (ACI & AKS)

• Virtualize physical servers
• Azure App Service
• Azure maintains the hardware and data center
• Azure Functions
• Infrastructure as a Service (IaaS)

• You maintain/patch the OS and applications in VM

• Manual scaling
 Azure Compute Services

• Azure Virtual Machine

Virtual Machine Scale
• Virtual Machine Scale Sets Sets

• Azure Containers (ACI & AKS)

• Identical VM, auto-scalable, load-balanced VMs
• Azure App Service
• Add or remove VMs dynamically based on demand
• Azure Functions
• Increased availability through Availability Sets using fault
and update domain
 Azure Compute Services

• Azure Virtual Machine

Azure Containers
• Virtual Machine Scale Sets

• Azure Containers (ACI & AKS)

• Azure Container Instances (ACI)
• Azure App Service • Quick and simple way to run containers in Azure
• No need to manage underlying VM or hardware
• Azure Functions

• Azure Kubernetes Service (AKS)

• Open-source orchestration platform
• Scaling and management of large-scale containers
 Azure Compute Services

• Azure Virtual Machine

Azure App Service
• Virtual Machine Scale Sets

• Azure Containers (ACI & AKS)

• Platform as a Service offering
• Azure App Service
• Deploy and host web applications or APIs to Azure
• Azure Functions

• Simplifies server management and auto-scaling

 Azure Compute Services

• Azure Virtual Machine

Azure Functions
• Virtual Machine Scale Sets

• Azure Containers (ACI & AKS) • Serverless compute or Function as a Service offering

• Azure App Service • Focus only on the code

• Azure Functions
• Event-driven programming

• Pay only when the code executes, nothing when idle

• Scales automatically
 Azure Networking Services

Virtual Network Subnet Network Security Group VNET Peering Azure Private
(NSG) Link

Azure Azure CDN

VPN Gateway Azure DNS
ExpressRoute
Azure Virtual Network (VNET)
Azure Virtual Network (VNet)
On-premise Network
 Azure Virtual Network (VNet)
Isolation and Segmentation: subnets
to organize withing VNet.
Azure Cloud
Communication with Internet: public
IP address, NAT gateways.
Azure VNet
Communication with On-premise:
Point-to-Site VPN, Site-to-Site VPN and
Controlled 10.0.0.1 10.0.0.2 Express Route.
Internet Access
Network Peering: Connect to other
VNet with peering.

Virtual Machine Database Server Integration with Azure Services:

Private link and service endpoints.

Traffic Management: Network Security

Access to Groups, Azure Firewall, Route tables.
On-prem
Network Monitoring: Network Watcher and
Traffic Analytics
Subnet
 Subnet

Azure Cloud

Azure VNet (10.1.0.0/16) Segment VNet: group and organize

resources

IP Address Range: should be within

VNet’s range and not overlapping.
Public Subnet Private Subnet

Routing in subnets: custom route

table for specific use cases.

Network Security Group (NSG): filter

DB traffic within and to/from subnet.
Internet Load Balancer

Common Use Cases:

VMs • Front-end and back-end separation
• Isolating Critical Resources
Subnet (10.1.1.0/24) Subnet (10.1.0.0/24)
• Management Subnets
Network Security Group (NSG)
Network Security Group (NSG)

Azure Cloud

Azure VNet

Network Security
Group (NSG)

Inbound Rules

Outbound Rules

Subnet
Network Security Group (NSG)

Azure Cloud

Azure VNet

Workload Subnet Management Subnet

Subnet level NSG Subnet level NSG

VM level NSG
Creation of Network Security Group (NSG)

Azure Cloud

Azure VNet

Name
Network Security
Group (NSG) Priority: 100 - 4096.

Source and Destination IP

Inbound Rules
Protocol and Port Range

Outbound Rules Action: Allow or deny

Subnet
NSG Default Rules

Inbound Default Rules

• AllowVnetInBound: allow within VNet
• AllowAzureLoadBalancerInBound: allow load balancer to your resources
• DenyAllInBound: deny all other

Outbound Default Rules

• AllowVnetOutBound: allow within VNet
• AllowInternetOutBound: allow outbound traffic to internet
• DenyAllOutBound: deny all other
Virtual Network Peering
 Azure VNET Peering
North Central Region North Europe Region

VNET
Peering Global
Peering

Subnet Subnet Subnet

10.0.0.0/24 172.16.0.0/24 192.168.10.0/28

VNET A VNET A VNET A

10.0.0.0/16 172.16.0.0/16 192.168.0.0/20

Low Latency, High Flexibility and Simplified

Seamless Connectivity Private Network Traffic Global Peering
Bandwidth Management
Azure Private Link
 Public and Private Service Endpoints

Azure Cloud

Public Endpoint

Available by default

Allow to access from anywhere

App Server Web Servers Needs authentication credentials

Cosmos
Database Further restrict access to IP address
Subnet
Public Endpoint 192.168.10.0/24 Resource exposed to Internet

VNET A
192.168.0.0/16
 Public and Private Service Endpoints

Azure Cloud

Azure Private Link

Private link to your resource

Private
link Data flows via Backbone network

App Server Web Servers Not exposed to the public internet

Cosmos
Database Supports other PaaS like Storage
Subnet account, event grid, etc.
192.168.10.0/24

VNET A
192.168.0.0/16

https://learn.microsoft.com/en-us/azure/private-link/availability
Azure Virtual Private Network (VPN)
Gateway
Azure Virtual Private Network (VPN) Gateway

P2S VPN Tunnel East US Region

Encrypted
VPN Client
192.168.0.11
Public Internet

VNET A
10.0.0.0/16

VPN Gateway

On-premise

Policy-based VPN Gateway

Network B
10.20.0.0/16 S2S VPN Tunnel Route-based VPN Gateway
Encrypted
Azure Express Route
Need for Express Route?

P2S VPN Tunnel East US Region

Encrypted
VPN Client
192.168.0.11
Public Internet

VNET A
10.0.0.0/16

VPN Gateway

On-premise

Network B
10.20.0.0/16 S2S VPN Tunnel

Encrypted
 Azure Express Route: The Private Highway

On-premise
Express Route vs VPN
Canada Central Azure Europe Region

Faster and More Reliable Connectivity

Network B VNET A Higher Security

Express Route 10.0.0.0/16
10.20.0.0/16
Private Connection Microsoft Cloud
Private Connection Services
Not over public internet
High Bandwidth
More reliable Scalability and Flexibility
More secure
Azure Domain Name System (DNS)
What is DNS?
DNS Server

Domain Name IP Address

www.microsoft.com 20.112.23.08
www.mywebsite.com 24.123.43.12
… …

User

Server Hosting
www.microsoft.com
Azure DNS
Azure DNS Server

Domain Name IP Address

www.microsoft.com 20.112.23.08
www.mywebsite.com 24.123.43.12
… …

User

Server Hosting
www.microsoft.com
Azure DNS Use Cases
Simplify Domain Resolution
• DNS server
• Real-time IP change update ensuring high availability

Internal Network Management

• Private DNS for accessing internal servers

Integration with Other Azure Services

• E.g. Global routing with Traffic Manager

Public vs Private Zones

• Separate public vs private DNS
• Public – domain accessible over internet; private – internal network domain

No Domain Registration with Azure DNS

• Can’t purchase domain directly with Azure
• Azure DNS can help manage DNS records after registration with 3rd party lie GoDaddy
Azure Content Delivery Network (CDN)
Need for CDN

High latency due to long-distance data

travel

Impacts user experience

Azure Content Delivery Network (CDN)

How CDN works?

Caching Content

Serving Cached Content

Fetching from the Origin

Improved Performance and cost

Enhanced Security

CDN Use Cases

App users spread across geographies

Large content size

Streaming media
Edge Servers (Point of Presence)
 Azure Networking Services

• Azure Virtual Network (VNet)

Virtual Network (VNet)
• Subnet

• Network Security Groups (NSG)

• Emulate physical network within Azure
• VNet Peering
• Isolation of resources
• Azure Private Link
• Enable secure communication with cloud and on-prem
• VPN Gateway resources

• Azure ExpressRoute

• Azure DNS

• Azure CDN
 Azure Networking Services

• Azure Virtual Network (VNet)

Virtual Network Subnet
• Subnet

• Network Security Groups (NSG) • Further segment virtual network

• VNet Peering
• E.g. Public and private subnet
• Azure Private Link

• VPN Gateway

• Azure ExpressRoute

• Azure DNS

• Azure CDN
 Azure Networking Services

• Azure Virtual Network (VNet)

Network Security Group
• Subnet (NSG)

• Network Security Groups (NSG)

• Control traffic in virtual network and subnets
• VNet Peering
• Rules for inbound and outbound traffic
• Azure Private Link
• Enhance security of your network
• VPN Gateway

• Azure ExpressRoute

• Azure DNS

• Azure CDN
 Azure Networking Services

• Azure Virtual Network (VNet)

VNet Peering
• Subnet

• Network Security Groups (NSG)

• Control two or more virtual networks within Azure
• VNet Peering
• Unified network across different Azure regions
• Azure Private Link

• VPN Gateway

• Azure ExpressRoute

• Azure DNS

• Azure CDN
 Azure Networking Services

• Azure Virtual Network (VNet)

Azure Private Link
• Subnet

• Network Security Groups (NSG)

• Securely connect to Azure PaaS services
• VNet Peering
• Communication remains secure, not exposed to internet
• Azure Private Link

• VPN Gateway

• Azure ExpressRoute

• Azure DNS

• Azure CDN
 Azure Networking Services

• Azure Virtual Network (VNet)

Azure Virtual Private
• Subnet Network (VPN) Gateway

• Network Security Groups (NSG)

• Securely connect with On-prem infrastructure
• VNet Peering
• Encrypted tunnel over public internet using:
• Azure Private Link
• Site-to-site connection
• Point-to-site connection
• VPN Gateway

• Azure ExpressRoute

• Azure DNS

• Azure CDN
 Azure Networking Services

• Azure Virtual Network (VNet)

Azure Express Route
• Subnet

• Network Security Groups (NSG)

• Private connection to on-prem infrastructure
• VNet Peering
• Traffic avoids public internet
• Azure Private Link
• Stable and higher bandwidth connection to on-prem
• VPN Gateway infrastructure

• Azure ExpressRoute

• Azure DNS

• Azure CDN
 Azure Networking Services

• Azure Virtual Network (VNet)

Azure Domain Name
• Subnet System (DNS)

• Network Security Groups (NSG)

• VNet Peering • Provides domain name resolution using Microsoft’s

global infrastructure
• Azure Private Link
• Create private domain for your network
• VPN Gateway

• Azure ExpressRoute

• Azure DNS

• Azure CDN
 Azure Networking Services

• Azure Virtual Network (VNet)

Azure Content Delivery
• Subnet Network (CDN)

• Network Security Groups (NSG)

• VNet Peering • Global network of edge servers

• Azure Private Link • Cache content closer to the users

• VPN Gateway • Reduce latency and improve performance

• Azure ExpressRoute

• Azure DNS

• Azure CDN
 1. Azure Compute Types: Containers, VMs, and Functions

Important ✓ Containers provide OS-level virtualization, sharing the host OS kernel, and are
Points to lightweight compared to VMs
✓ Containers are ideal for microservices architecture, allowing multiple instances on a
Remember for single host
AZ-900 exam ✓ Containers provide isolated environments for applications, improving consistency
across environments
✓ Virtual Machines (VMs) provide hardware-level virtualization, each running its own
OS instance
✓ VMs are suited for applications requiring full control over the OS and hardware
resources
✓ Azure Functions offer event-driven, serverless compute, automatically scaling based
on demand
✓ Azure Functions are cost-effective for short-lived or intermittent workloads
✓ Azure Functions remove the need for infrastructure management, focusing solely
on code execution
Azure Compute and
Networking Services
 2. Virtual machine options: Virtual Machine Scale Sets, availability sets, and
Important Virtual Desktop
Points to
✓ Azure Virtual Machine Scale Sets enable automatic scaling and load balancing of
Remember for identical VMs
AZ-900 exam ✓ VM Scale Sets adjust the number of VMs based on workload demand, ensuring
optimal performance
✓ Availability Sets distribute VMs across multiple fault domains and update domains
for high availability
✓ Availability Sets ensure that VMs are not affected by simultaneous hardware failures
or maintenance
✓ Azure Virtual Desktop allows multiple users to access a shared VM, supporting
remote work with cost efficiency
✓ Azure Virtual Desktop supports multi-session Windows 10/11, reducing the number
of required VMs

Azure Compute and

Networking Services
 Important
Points to 3. Virtual machine resource requirements
Remember for
✓ VM resources include CPU, memory, storage, and networking components
AZ-900 exam ✓ Operating system disks and data disks are essential for VM storage needs
✓ Public and private IP addresses enable network connectivity for VMs
✓ VMs can be deployed in various sizes to meet specific workload requirements
✓ Resource groups help manage and organize VM-related resources
✓ Network Security Groups (NSGs) control inbound and outbound traffic to VMs
✓ Load Balancers distribute network traffic across multiple VMs for high availability
✓ Managed disks provide scalable and consistent storage options for VMs

Azure Compute and

Networking Services
 4. Application hosting options: Web apps, containers, VMs

Important ✓ Azure App Service is a PaaS offering for hosting web apps, APIs, and mobile
backends
Points to ✓ Web apps on Azure App Service support multiple programming languages and
Remember for frameworks
✓ Containers are lightweight and ideal for microservices architecture, providing
AZ-900 exam isolated environments
✓ Azure Kubernetes Service (AKS) provides managed Kubernetes for container
orchestration
✓ AKS integrates with CI/CD pipelines, enhancing deployment and scaling of
containerized applications
✓ Azure Container Instances (ACI) enable quick deployment of containers without VM
management
✓ Azure Virtual Machines offer full control over the OS and hardware, suitable for
legacy applications
✓ VMs are preferred for applications requiring customized OS configurations and
Azure Compute and dedicated resources
Networking Services
 5. Azure Virtual Networks: Subnets, Peering, DNS, VPN Gateway, ExpressRoute
Important
✓ Azure Virtual Network (VNet) provides an isolated, secure environment for Azure
Points to resources
Remember for ✓ Subnets within a VNet segment the network and enhance security and traffic
management
AZ-900 exam ✓ NSGs control traffic flow within and between subnets, enhancing network security
✓ Virtual Network Peering connects VNets, allowing seamless resource
communication across regions
✓ Virtual Network Peering ensures that network traffic remains within the Microsoft
backbone network
✓ Azure DNS offers domain name resolution for Azure services and external resources
✓ Azure VPN Gateway establishes secure, encrypted connections between on-
premises networks and Azure
✓ ExpressRoute provides private, dedicated connections between on-premises
networks and Azure, bypassing the public internet
Azure Compute and
Networking Services
 6. Azure Public and Private Endpoints
Important
Points to ✓ Public endpoints make resources accessible over the public internet, enhancing
global reach
Remember for ✓ Public endpoints are suitable for services requiring broad, public accessibility.
AZ-900 exam ✓ Private endpoints use Azure Private Link, connecting resources privately without
traversing the internet
✓ Private endpoints ensure that internal traffic remains within the Azure backbone
network
✓ Azure Private Link enhances security by isolating data flow from public exposure
✓ Private endpoints are ideal for secure, internal communications within organizations
✓ NSGs can be used to manage traffic to and from private endpoints, ensuring
controlled access
✓ Azure Private Link supports private connectivity for services like Azure Storage,
Azure SQL Database, and Azure Cosmos DB

Azure Compute and

Networking Services
Need for Cloud Storage
 Problems with Traditional Storage

• Correct storage solution influences:

• Project cost
• Customer satisfaction
• Application availability
• Reliability

• Traditional storage:
• Hard drive
• On-prem data server

• Issues with traditional storage

• Accessibility issues
• Scalability
• Security
 Microsoft Azure Storage

• Microsoft Azure for storage solution

• Benefits of using Azure Storage:

• Follows best data storage practices
• Data security
• Accessible from anywhere in world
• Cheaper to store and access
• Durability and high reliability
• Azure handles failure
• Fast access and low latency
Types of Data
 Structured, Semi-structured and Unstructured Data

Structured Semi-structured Unstructured

• Predefined data model adhered to • Flexible key-value structure • No specific structure

specific schema
• Example: JSON of customer orders • Example: PDFs, word, images, files,
• Example: student information in a etc.
table • Azure Cosmos DB
• Azure Blob Storage
• Azure SQL Database
Azure Storage Services Overview
Azure Storage Services

• Storage account
• Access Tiers
• Redundancy

• Azure Disks

• Azure Migrate

• Azure AzCopy and FileSync

• Azure Databox
Azure Storage Account
 What is Azure Storage Account?

• Digital warehouse for your data in cloud

• Store and manage various types of data

• Examples:
• Documents
• Video
• Database backup
• And more
Naming the Storage Account

• Globally unique name

• URLs to access different types of

data in storage account

• Storage account name:

• 3 to 24 characters long
• Lowercase letters and
numbers
Storage Account

Storage Account

BLOB Containers Queue Files Tables

Azure Storage Redundancy
Locally Redundant Storage (LRS)

• Replicates storage account 3 times within a single

Primary Region datacenter in primary region

Availability Zone 1 • Lowest cost and least durability

Datacenter
• Protect against server rack and driver failures

Copy 1 • Data lost if Datacenter goes down

Storage Copy 2
• Suitable for non-critical data requiring cost savings
Account

Copy 3
 Zone Redundant Storage (ZRS)

• Replicates storage account synchronously across 3

Primary Region
availability zones in primary region
Availability Zone 1 Availability Zone 2
• Protect against data center-wide disasters
Datacenter Datacenter

• Does not protect against regional disasters

Storage Copy 1 Storage Copy 2
Account Account • Suitable for data that requires high availability
within a region

Availability Zone 3
• 99.9999999999% of durability
Datacenter

• Data does not leave the geographic region:

• Recommended for data governance or compliance
Storage Copy 3 requirements
Account

• Costlier than LRS

Geo Redundant Storage (GRS)

• Concept of secondary region

• Ensure data safety when primary region
goes down
• Provides high durability
• Forms region pairs

• GRS replicates data to a secondary region

• Protection against regional disaster

GRS

• 99.99999999999999% of durability
Geo Zone Redundant Storage (GZRS)

• Combines benefits of ZRS and GRS

• Highest durability and availability

• Data Replication:
• Across 3 availability zones in primary
region
• Secondary region using LRS
GZRS
• Protects against Datacenter and regional
disasters

• Suitable for critical applications

ZRS LRS
Azure Storage Redundancy Options

LRS ZRS

GRS GZRS
Azure BLOB Storage
BLOB (Binary Large OBject) Storage

Storage Account

BLOB Containers Queue Files Tables

 BLOB (Binary Large OBject) Storage

• Store large amount of unstructured data

Storage Account
• Examples of stored data:
• Streaming video/audio
• Files for distributed access
• Serving images/documents directly in browser
• Data for analysis
Container 1 Container 2 Container 3
• Data for archiving
• Data for backup and restore, disaster recovery
• Log files
• And more…
File 1 File 4 File 5
File 2 File 6
• Containers act like folders, but no hierarchical
File 3
structure

• Azure takes care of physical storage and scaling

BLOB Storage
 Accessing BLOB

Access BLOB via HTTP(S) endpoint from anywhere in the world

Other ways to access BLOB

Blob Storage Access Tiers
Blob Storage Access Tiers
Data Storage Cost Example

Data Transfer Cost Example

Azure Queues
Azure Queues

Storage Account

BLOB Containers Queue Files Tables

 Azure Queues
• Messaging service for async communication

• Decoupled Architecture
Storage Account • Makes application more resilient
• Queue handles communication between different
parts of application

• Messages stored in the queue until processed by

the receiving component
Queue 1 Queue 2

• Queue can store millions of messages (each

message size – 64 KB)
M1 -> M2 -> M3 MW -> MX -> MY -> MZ
• Uses HTTP/HTTPS protocol for communication

• Time-to-Live (TTL) - how long the message should

Queue Storage
remain in the queue
 Azure Queues Key Components

Queue URL

Message (64 KB max)

Azure Tables
Azure Tables

Storage Account

BLOB Containers Queue Files Tables

 Azure Tables
• Part of NOSQL family to store structured and semi-
structured data
Storage Account
• Adapt quickly to changing data requirements as
your solution evolves

• Key/attribute store with schema-less design

User Table

• Simpler and cheaper than traditional SQL

• Designed for high volumes of data

User Table Example
• Typical use cases:
User_id First_name Last_name Phone
1 Joe Miller
• Web-scale application data
• Large structured data sets
2 Dave Robin 999111
• De-normalized data storage
• Logging and monitoring data
Entities (Row) Attribute Attribute
Value Key

Table Storage
Azure File Storage
Azure File Storage

Storage Account

BLOB Containers Queue Files Tables

 Azure File Storage
• Fully managed File Shares in cloud, just like your
local OS disk
File Share
• Replace or supplement on-premise file servers,
central location in cloud for your file server

Mounted using SMB or

• Can be mounted as Network drive on cloud VMs or
NFS on-premise devices

• Supports Server Message Block (SMB) or Network

File System (NFS) protocol

• Ensures secure access with RBAC controls

• Lift-and-shift migration use case

On-prem user
Cloud VMs devices or servers • Azure manages the infrastructure lift
Azure File Sync
 Azure File Sync

Azure Cloud • Sync between On-premise File server and Azure Files

• Hybrid unified file server

• Benefits:
• Multi-site Data Synchronization
Azure Files • Disaster Recovery and Backup
• Capacity Management

Bi-directional Sync

Windows File Server

On-premise
Azure Disks
Azure Disks
• Persistent storage for Azure Virtual Machines

BLOB Storage • Disk stored in Blob container of storage account

• Fully Managed by Azure, not visible to user

OS Disk
• Types of Disks:
• Standard HDD
• Standard SSD
• Premium SSD
Data Disk • Ultra SSD
Virtual Machine
• Disks Roles:
• Data disk
• OS disk
• Temporary disk
AzCopy
AzCopy

• How to move large data?

• Problem with manual approach:

• Data transfer cost
• Time consuming

• AzCopy
• Command Line Tool
• Move data between storage accounts, subscriptions
or regions

• Key features
• Cross region transfer
• Cross cloud compatibility
• Unidirectional syncing
• Automation and scripting
• Cloud shell integration
Azure Migrate
Azure Migrate

On-premise Azure Cloud

Discovery Assessment Planning Migration

Azure Data Box
 Azure Data Box
• Problems with uploading large volume of data via internet
• Network bandwidth limitations
• Unreliable connection
• Takes days/weeks to upload

• Databox: Transfer large volume of data to and from Azure

• Process
• Order Data Box on Azure portal
• Data Box shipped to you
• Copy local data
• Ship it back to Azure
• Data uploaded to Azure account by Microsoft

• Secure way of transferring data in/out of Azure

• Use Cases:
• Initial bulk migration to Azure
• Extracting data from Azure
• Disaster Recovery and periodic backups
 Azure Storage Services

• Azure Storage Account

• Storage Redundancy Options

Azure Storage Account

• Azure Blob Storage

• Azure Queue Storage

• Central hub for storage needs
• Azure Files Storage
• Supports structured and unstructured data storage
• Azure Table Storage

• Azure Disk Storage

• Blob Storage Access Tiers

• Azure Migrate, AzCopy and File Sync

• Azure Storage Explorer

• Azure Databox
 Azure Storage Services
Storage Account
• Azure Storage Account Redundancy

• Storage Redundancy Options

• Azure Blob Storage

• Azure Queue Storage

• Azure Files Storage

• Azure Table Storage

• Azure Disk Storage

• Blob Storage Access Tiers

• Azure Migrate, AzCopy and File Sync

• Azure Storage Explorer

• Azure Databox
 Azure Storage Services

• Azure Storage Account

• Storage Redundancy Options

Azure BLOB Storage

• Azure Blob Storage

• Azure Queue Storage

• Stores massive amount of unstructured data
• Azure Files Storage
• Highly scalable and reliable
• Azure Table Storage

• Azure Disk Storage

• Blob Storage Access Tiers

• Azure Migrate, AzCopy and File Sync

• Azure Storage Explorer

• Azure Databox
 Azure Storage Services

• Azure Storage Account

• Storage Redundancy Options

• Azure Blob Storage Azure Queue Storage

• Azure Queue Storage

• Process messages asynchronously
• Azure Files Storage
• Critical service to decouple different parts of application
• Azure Table Storage

• Azure Disk Storage

• Blob Storage Access Tiers

• Azure Migrate, AzCopy and File Sync

• Azure Storage Explorer

• Azure Databox
 Azure Storage Services

• Azure Storage Account

• Storage Redundancy Options

• Azure Blob Storage Azure File Storage

• Azure Queue Storage

• Cloud alternative to on-premise file server
• Azure Files Storage
• Supports SMB and NFS protocols to extend your on-
• Azure Table Storage prem file shares

• Azure Disk Storage

• Blob Storage Access Tiers

• Azure Migrate, AzCopy and File Sync

• Azure Storage Explorer

• Azure Databox
 Azure Storage Services

• Azure Storage Account

• Storage Redundancy Options

• Azure Blob Storage Azure File Storage

• Azure Queue Storage

• Store structured non relational data
• Azure Files Storage

• Simplicity and cost effectiveness

• Azure Table Storage

• Azure Disk Storage

• Blob Storage Access Tiers

• Azure Migrate, AzCopy and File Sync

• Azure Storage Explorer

• Azure Databox
 Azure Storage Services

• Azure Storage Account

• Storage Redundancy Options

• Azure Blob Storage Azure Disk

• Azure Queue Storage

• Standard HDD, Standard SSD, Premium SSD and Ultra
• Azure Files Storage SSD

• Azure Table Storage • Disks stored in BLOB container of storage account

managed by Azure
• Azure Disks

• Blob Storage Access Tiers

• Azure Migrate, AzCopy and File Sync

• Azure Storage Explorer

• Azure Databox
 Azure Storage Services

• Azure Storage Account

• Storage Redundancy Options

Access Tiers

• Azure Blob Storage • Hot: frequently accessed data like static website content
• Azure Queue Storage
• Cool: less frequently accessed data like short term
• Azure Files Storage backups

• Azure Table Storage

• Cold: rarely accessed data like compliance records
• Azure Disks
• Archive: used for long-term archival, requires
• Blob Storage Access Tiers ‘rehydration’ to hot or cool tier

• Azure Migrate, AzCopy and File Sync

• Azure Storage Explorer

• Azure Databox
 Azure Storage Services

• Azure Storage Account

• Storage Redundancy Options

Moving Data

• Azure Blob Storage • Azure Migrate

• Azure Queue Storage
• Comprehensive suite of tools for migration needs

• Azure Files Storage • AzCopy

• Command line tool to transfer data between
• Azure Table Storage
storage accounts
• Azure Disks
• Azure File Sync
• Blob Storage Access Tiers • Synchronize Azure Files with on-premise file servers

• Azure Migrate, AzCopy and File Sync

• Azure Storage Explorer

• Azure Databox
 Azure Storage Services

• Azure Storage Account

• Storage Redundancy Options

Azure Storage Explorer

• Azure Blob Storage

• Desktop application to manage storage account
• Azure Queue Storage
• Simplifies the data transfer process from your local
• Azure Files Storage system
• Azure Table Storage

• Azure Disks

• Blob Storage Access Tiers

• Azure Migrate, AzCopy and File Sync

• Azure Storage Explorer

• Azure Databox
 Azure Storage Services

• Azure Storage Account

• Storage Redundancy Options

Azure Databox

• Azure Blob Storage

• Transfer massive amount of data to/from Azure
• Azure Queue Storage

• Azure Files Storage • Bypassing constraints of network speed

• Azure Table Storage

• Azure Disks

• Blob Storage Access Tiers

• Azure Migrate, AzCopy and File Sync

• Azure Storage Explorer

• Azure Databox
 Important 1. Compare Azure Storage Services

Points to ✓ Azure Storage offers Blob Storage, File Storage, Table Storage, and Queue Storage
Remember for ✓ Blob Storage is optimized for storing unstructured data such as text or binary data
AZ-900 exam ✓ File Storage provides fully managed file shares in the cloud accessible via SMB and
NFS protocols
✓ Table Storage is a NoSQL key-value store for storing structured data without a
schema
✓ Queue Storage enables reliable asynchronous messaging between application
components
✓ Managed Disks offer block-level storage for Azure VMs with options like Standard
HDDs, Standard SSDs, and Premium SSDs
✓ AzCopy and Azure Storage Explorer are tools for managing and transferring data
within Azure Storage

Azure Storage Services

 2. Azure Storage Tiers
Important
Points to ✓ Azure Blob Storage offers Hot, Cool, and Archive access tiers to optimize storage
costs
Remember for ✓ Hot access tier is ideal for frequently accessed data with low storage costs but
AZ-900 exam higher access costs
✓ Cool access tier is suitable for infrequently accessed data stored for at least 30 days,
offering lower storage costs
✓ Cool tier has higher retrieval costs compared to Hot but offers significant storage
cost savings
✓ Archive access tier is designed for rarely accessed data stored for at least 180 days
with the lowest storage costs and higher access costs
✓ Archive tier data must be rehydrated to access, leading to higher retrieval latency
✓ Choosing the right tier depends on data access patterns and cost considerations
✓ Switching between tiers can save costs based on data access frequency.

Azure Storage Services

 3. Storage Redundancy Options
Important
Points to ✓ Locally Redundant Storage (LRS) replicates data three times within a single data
center
Remember for ✓ Zone-Redundant Storage (ZRS) replicates data across three availability zones in a
AZ-900 exam region
✓ ZRS ensures data remains available even if one availability zone fails
✓ Geo-Redundant Storage (GRS) replicates data to a secondary region, ensuring high
availability and durability
✓ Geo-Zone Redundant Storage (GZRS) combines ZRS and GRS which provides data
replication across 3 availability zones in primary region and secondary region using
LRS
✓ Each redundancy option caters to different levels of durability and availability needs
✓ Choosing the right redundancy option depends on criticality, cost considerations,
and recovery requirements

Azure Storage Services

 Important
4. Storage Account Options and Storage Types
Points to
Remember for ✓ General Purpose v2 accounts support all Azure Storage services: Blob, File, Table,
and Queue
AZ-900 exam ✓ Premium storage accounts offer high-performance options like Premium SSDs and
Ultra Disks
✓ Azure Blob Storage supports Block Blobs, Append Blobs, and Page Blobs
✓ Azure Files offers managed file shares accessible via SMB and NFS
✓ Table Storage is optimized for large volumes of structured, non-relational data
✓ Managed Disk options include Standard HDD, Standard SSD, Premium SSD, and
Ultra Disk
✓ Storage accounts in Azure can scale up to 5 PiB per account

Azure Storage Services

 Important 5. AzCopy, Azure Storage Explorer, and Azure File Sync

Points to ✓ AzCopy is a command-line utility for transferring data to and from Azure Storage
Remember for ✓ AzCopy supports high-speed, resumable file transfers for large data volumes.
AZ-900 exam ✓ Azure Storage Explorer provides a graphical interface for managing Azure Storage
accounts
✓ Azure Storage Explorer supports cross-platform access on Windows, macOS, and
Linux
✓ Azure File Sync enables synchronization of files between on-premises servers and
Azure Files
✓ Azure File Sync supports caching frequently accessed files locally while tiering less
accessed files to Azure
✓ Choosing the right tool depends on the data transfer size, speed requirements, and
platform compatibility

Azure Storage Services

 6. Migration options, including Azure Migrate and Azure Data Box
Important
✓ Azure Migrate provides tools for assessing and migrating on-premises workloads to
Points to Azure
Remember for ✓ Azure Migrate provides a centralized hub for tracking and managing migration
projects
AZ-900 exam ✓ Azure Migrate includes server assessments, server migration, database migration,
and virtual desktop migration
✓ Azure Migrate integrates with third-party tools to expand migration capabilities
✓ Azure Data Box offers offline data transfer solutions for large datasets that are
impractical to move over the internet
✓ Data Box comes in various models: Data Box Disk, Data Box, and Data Box Heavy
for different data sizes
✓ Azure Data Box devices are secure and support AES encryption for data protection
✓ Choosing Azure Data Box can avoid network constraints and speed up large-scale
migrations

Azure Storage Services

 • Authentication vs Authorization

• Microsoft Entra ID (formerly Azure Active Directory)

• MFA, SSO and Password-less

• B2B, B2B Direct Connect and B2C

Module Overview • Conditional Access

• Role Based Access Control (RBAC)

• Zero Trust

• Defense in Depth

• Microsoft Defender for Cloud

Authentication vs Authorization
 Authentication vs Authorization

Authentication Authorization

“Who are you?” “What can you do?”

• Proving that you are who you say • Granting permissions and allowed actions to an
• Username and password authenticated party to do something
• MFA for additional security layer • Role Based Access Control (RBAC)
Microsoft Entra ID
 Microsoft Entra ID (formerly Azure Active Directory)

• Usually, you will delegate control to users in organization

• Create users
• Create and assign permissions
• Control access to cloud resources

• Entra ID: Identity and Access Management service in Azure

• Entra ID supports authentication and authorization

• Manage User as well as Application Identities

 Entra ID Features
User Management
• Create and manage user accounts

Group Management
• Organize users in groups

User Authentication
• Authentication with username and password
• Self-service password, multi-factor authentication (MFA)

Single Sign-On (SSO)

• Single set of credentials to access multiple applications and environments

Conditional Access
• Define rules to allow or deny access based on certain conditions

Guest Access
• Securely invite and manage external users
 Entra ID Features
Hybrid Scenario
• Seamlessly integrate with on-premise Active Directory (AD)
• Entra ID Connect and Entra ID Connect Health

Device Management
• Manage corporate and BYOD devices in conjunction to Intune

Application Access Control

• Application identity management with Entra ID

Role Based Access Control (RBAC)

• Create and assign roles to manage granular access to resources

Application Integration
• Integrate with 3rd party applications

Azure AD B2C
• Integrate identity in your application
Hybrid Scenario

Microsoft Entra
Connect

On-premise Active
Microsoft Entra ID
Directory
Entra ID Licenses
 Entra ID Licenses Free P1 P2

• License Tiers:
• Free
• Paid Premium P1
• Paid Premium P2
Key Concepts in Azure Ecosystem
Account, Subscription, Resource Groups and Resources

• Your identity in Azure ecosystem

Azure Account • Manage billing and subscriptions

• Billing type and information

Subscriptions • Free, pay-as-you-go and enterprise
agreement

• Container for related resources

Resource Groups • Manage multiple resources as single unit

• Virtual Machines, Databases, Storage

Resources accounts, etc.
Azure Tenant or Directory

Is part of
Azure Account

Tenant or Directory

Subscriptions

Resource Groups

Resources
Microsoft Entra Domain Services
 Microsoft Entra Domain Services

• Challenge in hybrid environment:

• Identity stored in on-premise Active Directory (AD)
• How to move to cloud Entra ID identity management without managing additional infrastructure?

• Microsoft Entra Domain Services:

• Enable On-premise AD features Domain Join, Group Policy, LDAP, Kerberos, etc.
• Domain controllers hosted and managed by Azure
 Microsoft Entra Domain Services

• Microsoft Entra Domain Services features

• Same credentials
• Consistent policies
• Seamless access
• Enhanced security
• No new credentials
• Migrating legacy applications
 Microsoft Entra Domain Services

• How does Microsoft Entra Domain Services work?

• Azure provisions 2 windows server domain controllers
• Fully managed by Azure
Azure Authentication Services

Single Multi-Factor Password-less

Sign-On Authentication Authentication
Single Sign On (SSO)
 Single Sign On (SSO)

• One set of credentials for multiple

applications

• Stay authenticated in all apps until session

expires

• Enhances productivity and user experience

• Reduces password-related security breaches

• Simplifies user off-boarding process

• SSO only handles authentication, and NOT

authorization
Multi-Factor Authentication (MFA)
 Multi-Factor Authentication (MFA)

• Problems with single factor authentication:

o Passwords can be stolen, leaked or guessed
o Passwords are difficult to manage

• At least 2 of 3 factors:
o Something you know
▪ Password, passphrase, security question
o Something you have
▪ Authenticator Apps, USB Keys, OTP
o Something you are
▪ Biometrics like facial recognition or
fingerprint

• Example:
o Password + OTP Code sent to mobile
o Password + Fingerprint

• MFA makes it challenging for attackers to compromise

Azure Passwordless
 Azure Passwordless

• Problems with passwords:

o Security Risks
o Inconvenience
o Multifactor Complexity

• 3 main passwordless methods:

o Windows Hello
▪ Ties identity to a trusted device
▪ Authenticate using PIN, facial recognition and fingerprint
▪ Eliminates repetitive logins

o Authenticator Apps
▪ Mobile-based sign-in using an installed app on user phone
▪ Push notification
▪ Additional security layer
Benefits of Passwordless
o Security Keys o Better Security
▪ Physical security device o Improved User Experience
▪ Authentication through the key o Less Administrative Overhead
External Identities in Azure
External Identities Scenario

B2B B2B Direct Connect B2C

B2B Collaboration
 B2B Collaboration

• Share access to your Azure apps and resources to external

organizations or users

• Benefits:
o Controlled Access
▪ Assign roles and permissions
o Invitation or Self Sign-up
▪ Ease of onboarding
o Security and Compliance
▪ Secured and monitored access

onboarding
invitation
Assign Roles
B2B Direct Connect
 B2B Direct Connect

• Extension to B2B Collaboration model

Guest Entra ID My Entra ID
• Useful in scenario where external partners have their own
Entra ID environment Mutual Trust

• Establish mutual trust between two directories

External
• Key features and benefits: Access

o Mutual Trust
o Seamless Access
o No Guest User Representation
o Efficient Collaboration

• Example use case: Shared Microsoft Teams Channel

B2C
 B2C

• Customer-facing applications

• E.g. Online services, E-commerce

platforms, etc.

• Key features and benefits:

o Customization User Experience
B2C
o Industry Protocol Support
o Built-in Support for Multiple Identity
Providers
o Self-service Capabilities
o Multi-Factor Authentication (MFA)
Support
B2C Use Case
Microsoft Entra Conditional Access
 Microsoft Entra Conditional Access

• Policy-based decision to control access to your resources

• Evaluate risk at every access attempt

• Example: Enable MFA for certain group of users based on

location
Conditional Access Signals

Signal Examples

• User or group membership

• Location

• Device

• Application

• Real-time Sign-in Risk detection

• User risk
Conditional Access Action and Enforcement

Action

• Allow access

• Require additional verification

• Block access

• Limited access

• Enforce password or device

compliance policies
Conditional Access Available in Paid Tier
 Conditional Access Sample Scenario
Routine Logins
• Condition: Employee login from company office using company-issued laptop
• Action: Low risk, allow access

Login from a Different Country or Unfamiliar Network

• Condition: Employee travel to different country and login from that country
• Action: Additional verification with MFA

Login from New Device or BYOD

• Condition: Employee login from a different device or a personal device
• Action: Additional verification with MFA

Inactive Account
• Condition: Login attempt from an account inactive from past 6 months
• Action: Additional verification with MFA

High-Risk Behavior
• Condition: Employee trying to reset password multiple times or trying to access critical app from outside network
• Action: Reset password or require MFA
Role Based Access Control (RBAC)
 Role Based Access Control (RBAC)

• Handles Authorization in Azure

• New User created in Entra ID has no default authorization

• 'Who can access what and what actions they can perform on it'
 Key Components of RBAC

• Who is being given access

Security Principal
• Users, Group, Service Principals (applications)

• What actions can be performed

• Collection of permissions
Role
• Built-in Roles (Owner, Contributor, Reader, SQL DB Contributor, etc.)
• Custom Roles

• Level at which role applies

Scope
• Management group, subscription, resource group, resources
Zero Trust
Zero Trust Methodology
 Zero Trust Core Principals

• All access are untrusted

Verify Explicitly • Continuous verification with all available data points
• Data points likes identity, location, device, service, etc.

• Just Enough access – only necessary permissions for the task

Least Privileged
• Just-in-time access – access for limited time
Access
• Adapt access based on need to reduce potential risks

• Assume threats are already in the system

Assume Breach • Prevent lateral movement of the attacker
• Encryption, network segmentation and monitoring
Zero Trust Pillars
Defense in Depth
Defense in Depth

Physical Security

Identity Management

Perimeter Security

Network Security

Compute Security

App Security

Data
Security
Microsoft Defender for Cloud
 Microsoft Defender for Cloud
Unified Monitoring
• Supports Azure, on-premise and other cloud providers
• Aggregate actionable data in a centralized tool

Built-in Security
• Automated Monitoring: Already integrated and requires minimum configuration
• Secured by default

Assessment and Recommendation

• Continuous Evaluation: security score to understand the security posture
• Actionable Recommendation: steps to improve the security score with prioritized recommendation

Threat Protection and Alerts

• Advanced Threat Detection: identify potential breaches and suspicious activities
• Alerts and Notifications: Real-time alerts about threats

Comprehensive Security Posture

• Dashboard and compliance: detailed view of security posture and compliance status
• Improve posture: address security gaps with actions tailored for your organization
Managed Identity
 Managed Identity

• Allows services to securely access other Azure

services

• No need to store credentials

• Prevents secret management problem Assigned to Has access to

• Hardcoded credentials
• Exposure risk
Virtual Machine Managed Identity Storage Account
• Managed Identity handles the authentication

• Types:
• System assigned
• User assigned
 1. Azure Directory Services – Entra ID and Entra ID Domain Services
Important
Points to ✓ Microsoft Entra ID (Azure AD) is a comprehensive identity and access management
service
Remember for ✓ Entra ID enables policy creation and management for secure user access and
AZ-900 exam collaboration
✓ Entra ID integrates both cloud and on-premises directories for unified
authentication
✓ You can configure Single Sign-On (SSO) for both cloud-based and on-premises
applications
✓ Entra ID supports B2B collaboration, enabling secure access for external users
✓ Azure AD B2C allows customers to sign up, sign in, and manage profiles using social
accounts
✓ Entra Domain Services provides domain services like domain join, group policy,
LDAP, and Kerberos

Azure Identity, Access

and Security Services
 2. Azure Authentication Methods – SSO, MFA and Passwordless
Important
✓ SSO allows users to sign in once and access multiple resources with the same
Points to credentials
Remember for ✓ SSO improves user experience by reducing the need to remember multiple
passwords
AZ-900 exam ✓ MFA requires more than one form of verification, enhancing security
✓ Azure AD/Entra ID supports various MFA methods such as app-generated codes,
text messages, and biometric data
✓ Entra ID integrates MFA with Conditional Access for comprehensive security
✓ Conditional Access policies enforce MFA based on specific conditions like location
and device
✓ Passwordless authentication involves alternative methods like biometric scans and
hardware tokens
✓ Passwordless authentication reduces the reliance on passwords, mitigating related
security risks
Azure Identity, Access
and Security Services
 3. Azure External Identities – B2B and B2C
Important
✓ External identities can be used to collaborate with partners, vendors, and other
Points to stakeholders
Remember for ✓ External identities enhance security by providing a structured way to manage non-
employee access
AZ-900 exam ✓ B2B and B2C ensure seamless and secure interaction with external users
✓ Entra ID B2B allows external users to access resources securely as guests in your
directory
✓ B2B collaboration grants controlled access to specific resources without
compromising security
✓ B2C enables customer identity management, allowing customers to sign up and
sign in using social accounts
✓ Azure AD B2C supports various identity providers, including Microsoft, Google, and
Facebook
✓ Policies can be created to manage the behaviors and access of B2C users
Azure Identity, Access
and Security Services
 Important
4. Microsoft Entra Conditional Access
Points to
Remember for ✓ Conditional Access is central to enforcing identity-driven security controls
✓ Conditional Access provides dynamic and adaptive security solutions for diverse
AZ-900 exam scenarios. It helps safeguard against unauthorized access by requiring additional
verification
✓ Conditional Access uses if-then logic to enforce access controls based on identity
signals
✓ It evaluates signals such as user identity, location, device, and risk level
✓ Admins can configure policies to apply specific conditions for resource access
✓ Policies can require MFA, restrict access to trusted devices, and block access from
untrusted sources

Azure Identity, Access

and Security Services
 Important
Points to 5. Azure Role Based Access Control (RBAC)

Remember for ✓ RBAC manages access to Azure resources by assigning roles to users, groups, and
AZ-900 exam service principals
✓ RBAC ensures users have only the necessary access for their roles, enhancing
security
✓ RBAC simplifies access management across large and dynamic environments
✓ Roles define a set of permissions that users inherit when assigned those roles
✓ Roles can be customized to meet specific organizational requirements
✓ Permissions assigned at the resource group level are inherited by all resources
within that group

Azure Identity, Access

and Security Services
 Important
Points to 6. Concept of Zero Trust
Remember for
✓ Zero Trust enhances security by minimizing assumptions of trust within the network
AZ-900 exam ✓ Zero Trust assumes no device or user is inherently trusted, regardless of location
✓ It requires continuous authentication and verification for each access request
✓ The model focuses on securing access to resources dynamically based on context
✓ It uses policies to define access permissions, ensuring strict compliance and security
✓ Zero Trust integrates identity verification, access management, and threat
protection
✓ Entra ID, Conditional Access, and MFA are key components of Zero Trust

Azure Identity, Access

and Security Services
 Important
Points to 7. Defense in Depth Model
Remember for
✓ Defense-in-depth involves multiple layers of security controls to safeguard data and
AZ-900 exam systems
✓ Layers include physical security, identity and access management, perimeter
security, network security, compute security, application security and data security
✓ Each layer provides redundant protection, ensuring that vulnerabilities in one layer
do not compromise the entire system
✓ The model provides comprehensive security by addressing threats at various points
within the IT environment

Azure Identity, Access

and Security Services
 Important 8. Microsoft Defender for Cloud
Points to
✓ Microsoft Defender for Cloud provides unified security management and threat
Remember for protection
AZ-900 exam ✓ Microsoft Defender for Cloud enhances the security of cloud, hybrid, and multi-
cloud environments
✓ It offers advanced threat analytics and continuous security assessments
✓ The service helps identify vulnerabilities and provides actionable recommendations.
The tool includes features for proactive threat detection and incident response
✓ It integrates with Azure services and on-premises resources for comprehensive
protection
✓ Defender for Cloud delivers a secure score to track and improve security posture
✓ It ensures compliance with security standards and best practices

Azure Identity, Access

and Security Services
Factors Affecting Cloud Cost
 Factors Affecting Cloud Cost

Physical Infrastructure → Cloud Reserving Resources

• Managed services availability • 1- or 3- year term
• CapEx → OpEx • Heavy discount for longer terms

Subscription Type Data Storage Access Tiers

• Free with credit, Pay-as-you-go • Hot, Cool and Archive tier
• Always Free service tier consumption

Network Traffic
Resource Type • Free Inbound within same region
• CPU? OS type? Redundancy options? • Paid – outbound and across different regions
• Higher performance → More cost

Azure Marketplace
Region • Pre-built solution from 3rd party vendors
• Resource cost differs by region • Vendor cost + Azure Cost
• E.g. VM cost for East US vs Europe region
Reducing Cloud Cost
 Reducing Cloud Cost

• Perform cost analysis

• Set spending limits

• Use reserved instances

• Take advantage of spot pricing

• Deallocate and delete unused resources

• Shift from IaaS to PaaS

• Consider low-cost regions

• Stay updated on offers and discounts

Azure Resource Tags
 Azure Resource Tags

• Like social media tags, but for cloud resources

• Categorize and track resources

• Tag is name-value pair assigned to resources

• Multiple tags per resource

• How to apply tags?

• Azure Portal
• Azure CLI and PowerShell
• ARM and REST APIs

• Benefits of tags
• Cost Allocation
• Resource Management
• Cost Reporting and Optimization
• Security and Access Control
 Important 1. Factors affecting cost in Azure

Points to ✓ Deploying additional servers in a cloud environment is generally less expensive than
Remember for on-premises deployments
✓ Azure offers a pay-as-you-go pricing model, which is considered OpEx
AZ-900 exam ✓ The cost of services can vary between regions due to local infrastructure costs and
demand
✓ Data transfer costs between regions incur charges, while inbound data transfers to
Azure are free
✓ Resource type and configuration, usage meters, and region impact the cost of
Azure resources
✓ Pricing models such as reserved instances and pay-as-you-go influence cost
✓ Capital expenditure (CapEx) and operating expenditure (OpEx) are treated
differently in terms of cloud expenses

Azure Cost
Management
 2. Pricing calculator and Total Cost of Ownership (TCO) calculator
Important
Points to ✓ The Pricing Calculator provides a granular estimate of individual service costs, while
the TCO Calculator assesses overall migration costs
Remember for ✓ The Azure Pricing Calculator estimates the future cost of specific Azure services
AZ-900 exam based on projected usage
✓ The TCO Calculator can show potential cost savings over time by migrating
workloads to Azure
✓ The Azure TCO Calculator helps compare the cost of running workloads on Azure
versus on-premises
✓ The TCO Calculator considers various factors such as hardware expenses, electricity
usage, data center costs, and IT labor
✓ Both calculators are essential for budgeting and planning cloud adoption
✓ The Pricing Calculator does not require an Azure account to access, while the TCO
Calculator does not either

Azure Cost
Management
 3. Cost management capabilities in Azure
Important
Points to ✓ Azure Cost Management helps in monitoring, allocating, and optimizing cloud
spending
Remember for ✓ It provides detailed reports and insights on resource usage and costs
AZ-900 exam ✓ It allows tracking costs at different scopes like subscriptions, resource groups, and
management groups
✓ Users can set budgets and create alerts to notify when spending exceeds thresholds
✓ Cost Management supports tagging, which helps organize and track costs by
different groups or categories
✓ Azure Advisor offers recommendations to optimize the cost-effectiveness, security,
and performance of resources
✓ Cost Management includes tools for viewing and downloading detailed usage data
✓ Budget alerts and cost analysis help in proactive cost control and prevention of
unexpected expenses

Azure Cost
Management
 Important 4. Purpose of tags in Azure
Points to
✓ Tags consist of name-value pairs applied to resources, resource groups, and
Remember for subscriptions
AZ-900 exam ✓ Tags help in organizing and categorizing resources for better management
✓ They enable tracking and reporting of costs associated with different groups or
projects
✓ Tags do not automatically propagate to child resources within a resource group
✓ Tags can be used for billing, operational management, security, and compliance
purposes
✓ They provide flexibility in creating custom metadata for resource identification and
grouping
✓ Tags help in optimizing costs by identifying underutilized or unused resources

Azure Cost
Management
Azure Policies
 Azure Policies

Set of rules that ensure consistency and maintain Main Components of an Azure Policy
order
• Policy Definitions
• Rules in JSON format
Why need a Policy?
• Initiatives
• Regulatory Compliance • Group of policies
• Cost Control • Scopes and Assignments
• Security and Consistency • Assign to management groups, subscriptions or
resource groups
• Built-in and Custom Policies
• Policy Effects
• Non-Destructive Compliance
• Deny
• Audit
• Append
Real-World Examples of Azure Policies
• DeployIfNotExists
• Restricting Regions • AuditIfNotExists
• Enforcing Tagging
• Controlling VM Configurations
• Security Baselines
Azure Locks
 Azure Locks

• Protect critical resources from accidental deletion and modification

• Useful when multiple people have access to the resource

Types of Locks
• Delete
• Can read and modify, but NOT delete

• Read-Only
• Can read, but NOT modify or delete

• Lock can be applied at subscription, resource or resource level

• Locks are inherited

• Multiple locks can be applied

Microsoft Purview Benefits

• Enhanced Data Visibility

• Streamlined Compliance
• Data Governance and Security
• Increased Efficiency
 1. Purpose of Microsoft Purview in Azure
Important ✓ Microsoft Purview provides a unified data governance solution, helping manage
Points to and discover data across on-premises, multi-cloud, and SaaS environments
✓ The platform provides a comprehensive view of data assets, enhancing visibility and
Remember for governance across an organization's data estate
AZ-900 exam ✓ It helps organizations classify, label, and protect data to ensure compliance with
regulatory requirements
✓ It offers tools for enhanced data collaboration by enabling the discovery and
sharing of trusted data sources across teams. It integrates with other Azure services
to provide a holistic data management and governance strategy
✓ Purview assists in tracking data lineage and conducting impact analysis by
visualizing data flow and understanding its origins and dependencies
✓ Purview helps in meeting regulatory compliance requirements by providing features
to classify and manage data
✓ Microsoft Purview also helps in implementing and managing data policies to ensure
data protection and compliance
Azure Cost
Management
 2. Purpose of Azure Policy
Important
✓ Azure Policy allows you to create, assign, and manage policies to enforce
Points to organizational standards and assess compliance at scale
Remember for ✓ It evaluates resources against defined rules to ensure they adhere to corporate
compliance requirements
AZ-900 exam ✓ Policies can be used to enforce specific configurations and settings for resources,
such as tagging, resource types, and regional restrictions
✓ Azure Policy helps in maintaining resource consistency, regulatory compliance,
security, cost management, and efficient governance
✓ It can prevent the creation of non-compliant resources by setting rules with the
'Deny' effect
✓ Policies can also assist in remediating existing resources to bring them into
compliance automatically
✓ Users can create custom policies using JSON if built-in policies do not meet specific
requirements
Azure Cost
Management
 3. Purpose of Azure Resource Locks

Important ✓ Resource locks protect critical resources from accidental deletions or modifications
✓ There are two types of locks: Readonly and Delete
Points to ✓ Readonly allows viewing but not modifying or deleting resources, while Delete
Remember for prevents deletion but allows modifications
AZ-900 exam ✓ Locks can be applied at different levels, including subscriptions, resource groups,
and individual resources
✓ Locks are inherited by all resources within a parent resource group, ensuring
comprehensive protection
✓ Even if a user has permissions, actions restricted by a lock (e.g., deletion) require the
lock to be removed first
✓ A resource can have multiple locks, and the most restrictive lock applies in case of
conflicts
✓ Locks do not prevent access control changes but ensure that critical resource
configurations remain unchanged unless explicitly unlocked
✓ Resource locks help maintain the integrity and stability of essential services by
Azure Cost preventing unintended disruptions
Management
Azure Arc
 Azure Arc

• Managed resources spread across different cloud providers and on-premise infrastructure

• Single pane of glass for managing your entire IT estate

• Connects non-Azure resources to Azure Resource Manager (ARM)

• Arc-enabled servers
• Server appears in Azure portal
• Apply policies similar to native
Azure servers

• Visualize all resources in one

console

• Seamless DevOps Integration

• Free to use
Infrastructure as Code (IaC)
 Infrastructure as Code (IaC)
• Using code to manage cloud resources

• E.g., pre-written template to automate the creation of resources on a trigger

• Foundational for modern DevOps

• Templates are declarative, supports JSON, XML, etc.

• Core principle: Idempotency

• Quickly mirror Azure environment

• Teams can use CI/CD tools and manage infrastructure as source code

• Consistent deployment reducing human error by elimination of manual configuration

• IAC can help resolve potential misconfigurations

Azure Resource Manager (ARM)
 Azure Resource Manager (ARM)

• Core deployment and management service for all resources in Azure

• Handles resource creation, updates and deletions regardless of method (CLI, PowerShell, REST, Portal, SDK)

• E.g., Deploying 100 VMs consistently or a complex web application with dependencies

ARM Benefits

• Unified Management

• Role based access control (RBAC)

• Multi-region deployment

• Incremental and complete deployment

• Dependency handling

• Blueprint support
ARM Template
ARM Templates
 Important
1. Azure Portal
Points to
Remember for ✓ Azure Portal provides a web-based graphical user interface (GUI) for managing
Azure resources
AZ-900 exam ✓ Accessible from any device with a web browser, including Windows, macOS, Linux,
and mobile devices
✓ Users can deploy, manage, and monitor Azure services using the portal
✓ Offers real-time notifications for deployments and other activities
✓ Supports the creation of custom dashboards for an organized view of resources
✓ Integrates with various management tools such as Azure CLI and Azure PowerShell
✓ Facilitates access to third-party virtual machines and services through the Azure
Marketplace

Azure Resource
Management
 Important
2. Azure Cloud Shell - Command-Line Interface (CLI) and PowerShell
Points to
Remember for ✓ Azure Cloud Shell provides a browser-based shell environment accessible through
the Azure Portal
AZ-900 exam ✓ No installation required; tools and modules are pre-configured and available within
the Cloud Shell environment
✓ Offers an authenticated and interactive shell experience
✓ It supports both Bash and PowerShell for managing Azure resources
✓ Requires a storage account to persist files across sessions
✓ Users can run Azure CLI and PowerShell commands to manage resources
✓ Accessible from various devices, including laptops and tablets running different
operating systems

Azure Resource
Management
 Important
Points to 3. Purpose of Azure Arc
Remember for
✓ Azure Arc extends Azure management capabilities to on-premises, multi-cloud, and
AZ-900 exam edge environments
✓ Allows unified management of resources such as servers, Kubernetes clusters, and
databases from a single platform
✓ Enables governance with Azure Policy and Blueprints across different environments
✓ Supports hybrid and multi-cloud strategies, enhancing flexibility and scalability
✓ Improves visibility, control, and security for resources across various infrastructure
setups

Azure Resource
Management
 4. Infrastructure as Code (IaC)
Important
✓ Infrastructure as Code (IaC) allows managing and provisioning infrastructure
Points to through code
Remember for ✓ IaC enables version control and automated provisioning, ensuring consistency and
repeatability
AZ-900 exam ✓ Promotes practices such as automated testing and continuous integration (CI/CD)
✓ Enables consistent replication of infrastructure configurations, crucial for disaster
recovery
✓ Modules in IaC represent reusable and independent sets of resources for
streamlined management
✓ IaC approaches include declarative (e.g., ARM templates, Bicep) and imperative
(e.g., PowerShell scripts)
✓ Bicep offers a simpler syntax compared to ARM template JSON files for defining
resources
✓ ARM templates provide a declarative way to define infrastructure and configuration
Azure Resource
Management
 Important 5. Azure Resource Manager (ARM) and ARM Templates
Points to ✓ Azure Resource Manager (ARM) is the deployment and management service for
Remember for Azure
✓ ARM supports infrastructure as code (IaC), allowing automated and repeatable
AZ-900 exam consistent deployments
✓ ARM enables resource group settings, tagging, and securing resources after
deployment
✓ ARM templates are JSON files that define the desired state of Azure resources
declaratively
✓ Templates can deploy multiple resources in a single file, not requiring separate
templates per resource
✓ ARM templates can be deployed via various tools: Azure Portal, PowerShell, CLI,
SDKs, and REST API

Azure Resource
Management
Azure Advisor
 Azure Advisor

• Personalized recommendations based on best practices

• Free

Recommendation Categories

• Cost – how to minimize cost

• Operational Excellence – maximize efficiency of existing deployments

• Performance – improve performance and throughput

• Security – improve security and combat threats

• Reliability - ensure apps and data remain available for use

Azure Monitor
 Azure Monitor

• Visibility into your environment

• Supports multi-cloud and hybrid setups

• E.g. CPU Utilization of your virtual machine over time

Type of data collection by Azure Monitor

• Metrics
• Numerical measurements about the resource
• E.g. CPU utilization, memory consumption, etc.
• Understand resource behavior and make informed decisions

• Logs
• Textual records that track events and activities in your environment
• E.g. Error messages, security events, application traces, etc.
• Useful for troubleshooting capabilities during security breaches and other events
 Azure Monitor

• Data can be collected from varied sources

• All data aggregated into a central hub

Azure Monitor Features

• Visualizations and dashboards

• Run analytical queries

• Alerts
Application Insights
 Application Insights

• Monitoring for Web Apps in Azure

• Metrics and KPI about your Web Apps

• Deployment ways:
• Software Development Kit (SDK)
• App Insights agent

• Telemetry examples:
• Response rate
• Page load performance
• Number of user visits
• User demographic details
• User geography details
• And more
 Application Insights

Feature Rich Dashboard

 Application Insights

Application Map
 Important 1. Purpose of Azure Advisor
Points to
✓ Azure Advisor provides actionable recommendations to help optimize and reduce
Remember for costs associated with Azure account usage
AZ-900 exam ✓ Evaluates resource configurations and offers insights aimed at enhancing cost-
efficiency, security, reliability, operational excellence, and performance
✓ Delivers personalized recommendations for all subscriptions, allowing users to
apply filters for specific subscriptions, resource groups, or services
✓ Integrates with Microsoft Defender for Cloud to offer comprehensive security
recommendations
✓ Azure Advisor is available for free and does not incur additional charges
✓ Provides a cloud score to assess how well-architected workloads are and offers
step-by-step guidance for remediation

Azure Monitoring
Tools
 2. Azure Service Health
Important
Points to ✓ Azure Service Health provides information about Azure service incidents, planned
maintenance, and notifications via Email, SMS, and push notifications
Remember for ✓ Allows users to analyze health issues, monitor cloud resource impact, receive
AZ-900 exam guidance, and share incident details
✓ Provides updates on Azure service disruptions and scheduled maintenance
✓ Helps in staying informed with customizable cloud alerts and personalized
dashboards
✓ Encompasses Azure Status, Service Health, and Resource Health to keep users
informed about Azure service health
✓ Does not offer preventative measures against failures, only notifications and
updates
✓ Delivers comprehensive incident reports and root cause analyses (RCAs) for
transparency and understanding

Azure Monitoring
Tools
 3. Azure Monitor – Log Analytics, Monitor Alerts, Application Insights
Important
✓ Azure Monitor collects and centralizes logs, metrics, and events from various
Points to resources into a single dashboard. Supports data collection from multiple sources
Remember for including applications, operating systems, and networks
✓ Supports monitoring on Azure, on-premises, and third-party cloud environments
AZ-900 exam ✓ Log Analytics Workspace is used to collect log and metric data from various Azure
resources
✓ Centralizes data storage for detailed analysis, visualizations, and alerting
✓ Provides detailed visibility into application performance and infrastructure health
✓ Enables running queries, viewing graphs, and creating alerts based on the collected
data
✓ Facilitates setting up alerts for specific events or conditions to ensure proactive
management
✓ Offers operational scaling through automated actions and real-time performance
monitoring
Azure Monitoring
Tools