MICROSOFT AZURE

FUNDAMENTALS
AZ-900
AZURE ARCHITECTURE
AND SERVICES
 CORE ARCHITECTURAL COMPONENTS
3

OF AZURE
Azure accounts
Physical infrastructure 4

• The physical infrastructure for Azure starts with datacenters.

• Conceptually, the datacenters are the same as large corporate
datacenters. They’re facilities with resources arranged in racks, with
dedicated power, cooling, and networking infrastructure.

Regions
• A region is a geographical area on the planet that contains at
least one, but potentially multiple datacenters that are nearby
and networked together with a low-latency network.
• When you deploy a resource in Azure, you'll often need to
choose the region where you want your resource deployed.
 Availability
5

Zones
• Availability zones are physically
separate datacenters within an
Azure region.
• Each availability zone is made up
of one or more datacenters
equipped with independent
power, cooling, and networking.
• An availability zone is set up to
be an isolation boundary. If one
zone goes down, the other
continues working.
 6

Region pairs
• Most Azure regions are paired with
another region within the same
geography (such as US, Europe, or
Asia) at least 300 miles away.
• This approach allows for the
replication of resources across a
geography that helps reduce the
likelihood of interruptions because
of events such as natural disasters,
civil unrest, power outages, or
physical network outages that
affect an entire region.
 7

Sovereign
Regions

Sovereign regions are

instances of Azure that are
Example: US DoD Central, US
isolated from the main instance
Gov Virginia, US Gov Iowa,
of Azure. You may need to use
China East, China North
a sovereign region for
compliance or legal purposes.
 Azure management infrastructure 8

Azure Resources
and Resource
Groups
• A resource is the basic building block
of Azure. Anything you create,
provision, deploy, etc. is a resource.
Virtual Machines (VMs), virtual
networks, databases, cognitive
services, etc. are all considered
resources within Azure.
• Resource groups are simply groupings
of resources. When you create a
resource, you’re required to place it
into a resource group. While a
resource group can contain many
resources, a single resource can only
be in one resource group at a time.
 9

Azure Subscriptions

• In Azure, subscriptions are a unit of

management, billing, and scale.
• Using Azure requires an Azure
subscription. A subscription provides
you with authenticated and
authorized access to Azure products
and services.
 10

Azure Management
Groups
• Azure management groups provide a level of scope above
subscriptions. You organize subscriptions into containers
called management groups and apply governance
conditions to the management groups.
• If you have many subscriptions, you might need a way to
efficiently manage access, policies, and compliance for
those subscriptions.
 Management Group,
11

Subscriptions, and Resource

Group Hierarchy
• You can build a flexible structure of management groups and subscriptions to
organize your resources into a hierarchy for unified policy and access
management.
 AZURE COMPUTE AND NETWORKING 12

SERVICES
Azure compute
services
Azure compute is an on-demand computing service that provides computing
resources
such as disks, processors, memory, networking, and operating systems.
 13

Azure Virtual
Machines
Azure Virtual Machines (VM) are
software emulations of physical
computers.
• Includes virtual processor,
memory, storage, and networking.
• IaaS offering that provides total
control and customization.
 14

Virtual Machine
Scale Sets
Scale sets provide a load-balanced
opportunity to automatically scale
resources.
• Scale out when resource needs
increase.
• Scale in when resource needs are
lower.
Virtual Machine
15

Availability sets
Availability sets are designed to ensure that VMs stagger updates and have varied
power and network connectivity, preventing you from losing all your VMs with a
single network or power failure.
 16

Azure Virtual Desktop

Azure Virtual Desktop is a desktop and app virtualization that runs in the cloud.
• Create a full desktop virtualization environment without having to run additional
gateway servers.
• Azure Virtual Desktop works across devices and operating systems and works
with apps that you can use to access remote desktops or most modern
browsers.
• True multi-session deployments.
 17

Azure Container Services

Azure Containers are a light-weight, virtualized environment that does not require
operating system management, and can respond to changes on demand.
 18
Azure Functions

• Azure Functions is an event-driven, serverless

compute option that doesn’t require
maintaining virtual machines or containers.
• Functions are commonly used when you need
to perform work in response to an event
(often via a REST request), timer, or message
from another Azure service, and when that
work can be completed quickly, within
seconds or less.
 19

Azure App Services

Azure App Services is a fully managed platform to

build, deploy, and scale web apps and APIs quickly.
• Works with .NET, .NET Core, Node.js, Java, Python,
or PHP.
• PaaS offering with enterprise-grade performance,
security, and compliance requirements.
 20

Azure Networking
Services
 21

Azure Virtual Private

Network Gateway
A virtual private network (VPN) uses an encrypted tunnel within another
network. VPNs are typically deployed to connect two or more trusted private
networks to one another over an untrusted network (typically the public
internet).
 22

Azure ExpressRoute

Azure ExpressRoute lets you extend your on-premises networks into the
Microsoft cloud over a private connection, with the help of a connectivity
provider. This connection is called an ExpressRoute Circuit. This allows you to
connect offices, datacenters, or other facilities to the Microsoft cloud.
 23

AZURE DNS
Reliability and performance: DNS domains in Azure DNS are hosted on Azure's global
network of DNS name servers, providing resiliency and high availability.

Security: is based on Azure resource manager, enabling role-based access control and
monitoring and logging.

Ease of Use: Azure DNS is integrated in the Azure portal and uses the same credentials,
support contract, and billing as your other Azure services.

Customizable virtual networks with private domains: allow you to use private, fully
customized domain names in your private virtual networks.

Alias records: supports alias record sets to point directly to an Azure resource.
Azure Storage
Services
Azure Storage Account
25

• A unique namespace for your Azure Storage data which can be accessed over HTTP and HTTPS.

Standard General Purpose V2

Premium Block Blobs

Premium File Shares

Premium Page Blobs

Azure Storage 26

Redundancy
 27

Azure Storage Services

Presentation title 28

AZURE STORAGE ACCESS TIERS

Cool: Optimized for storing

Hot: Optimized for storing
data that is infrequently
data that is
accessed and stored for at
accessed frequently.​
least 30 days.​

Archive: Optimized for

Cold: Optimized for storing
storing data that is rarely
data that is infrequently
accessed and stored for at
accessed and stored for at
least 180 days with flexible
least 90 days.​
latency requirements​.
 29

Azure Migrate

A service that helps you migrate from an on-premises environment to the cloud.

Unified migration platform.

Range of integrated and standalone tools, including Azure Migrate: Discovery and assessment and Azure
Migrate: Server Migration.

Assessment and migration.

 30

Azure Data Box

A physical migration service Store up to 80 terabytes of Migrate data to Azure from The entire process is tracked
that helps transfer large data. remote locations with end-to-end by the Data Box
amounts of data. limited or no connectivity. service in the Azure portal.

30
Presentation title 31

AZURE FILE AzCopy

MOVEMENT • Command line utility to copy blobs or files to or from
your storage account.
OPTIONS • Used to upload files, download files, and copy files
between storage accounts.

Azure Storage Explorer

• GUI like Windows Explorer.​
• Uses AzCopy on the backend to perform all the file and
blob management tasks. ​

Azure File Sync

• Synchronizes Azure and on premises files in a
bidirectional manner.​
• You can use any protocol that's available on Windows
Server to access your data locally.​
 32

Identity, Access, and

Security
 33

Microsoft Entra

Microsoft Azure’s cloud-based identity and Provides features like authentication, SSO,
access management service. application management, and device
management.
 34

Microsoft Entra Domain Services

• Benefit of cloud-based domain services without managing domain controllers.
• Run legacy applications (that can’t use modern authentication standards) in the cloud.
 35

Azure Authentication Methods

• Multifactor authentication
• Passwordless authentication
 36

External Identities B2B

• Collaborate with external users by letting them use their preferred identity to sign-in to your Microsoft applications or
other enterprise applications (SaaS apps, custom-developed apps, etc.).
 37

External Identities B2C

• Publish modern SaaS apps or custom-developed apps (excluding Microsoft apps) to consumers and customers, while
using Azure AD B2C for identity and access management.
 38

Conditional Access
• A tool that Microsoft Entra ID uses to allow (or deny) access to resources based on identity signals.
• These signals include who the user is, where the user is, and what device the user is requesting access from.
• It also provides a more granular multifactor authentication experience for users.
 39

Role-Based Access Control

• RBAC is a mechanism that can help you manage who can access your Azure resources.
• Segregate duties within the team and grant only the amount of access to users that they need to perform their jobs.
• Enables access to the Azure portal and controlling access to resources
 40

Zero Trust Model

• A security model that assumes the worst-case scenario and protects resources with that expectation.
 41

Defense-in-depth
• A defense-in-depth strategy uses a series of mechanisms to prevent an attack that aims at acquiring unauthorized access to data.
• A layered approach to securing computer systems
• Provides multiple levels of protection
• Attacks against one layer are isolated from subsequent layers
THANK YOU