Study Guide for AZ-900
This is my study guide for the Azure 900. I hope that this will help some aspiring developers and techies to get a firmer grasp over these concepts and land your cert. The guide exactly follows the structure of the Microsoft Learning Online Courses, updated in 2021.
This part contains general knowledge about cloud computing e.g. what are the benefits of cloud, the differences types of cloud service offering, and the differences in cloud deployment models.
Technological benefits of cloud:
High Availability — The major cloud providers (Azure, AWS, GCP) have multiple data centers spread around throughout the world. Data and code stored in the cloud are copied to more than one data center. If anything happens to one data center, the data can be recovered from another data center.
Fault Tolerance — In case there is any fault in the application or infrastructure, the service can continue to work by moving the work to other healthy servers.
Disaster Discover — The data in the cloud can also get copied to other regions e.g. copy data from West US to East US. If there is natural disaster happened in West US and every data center goes down, the data center in East US will still have the copy of data.
Scalability — The application running in the cloud can expand its size when there are more users in the system. https://azure.microsoft.com/en-us/services/container-instances/ — The application running in the cloud can shrink its size when there are fewer users in the system. The users can also set automatic shutdown during the non-business hours to save money.
Scale vertically to increase compute capacity by adding RAM or CPUs to a virtual machine.
Scaling horizontally increases compute capacity by adding instances of resources, such as adding VMs to the configuration.
Business benefits of cloud
Agility — Cloud allows the business to deliver IT system to customers faster. The machines in the cloud are ready for cloud users to spin up when they need and shut down when they are not required.
Economies of scale — Cloud is a shared pool of machines and services. As the number of customer grows, the cloud providers can lower the cost or increase quality of the services.
Capital Expenditure (CapEx) vs Operational Expenditure (OpEx) — Building a data center requires large capital investment for hardware as well as the facility. A data center will also require ongoing electricity and staffs cost for operation. By using cloud, the capital expenditure for building a data center is not required.
Consumption-based model (pay-as-you-go) — The cloud users only pay for what they need, by the duration they need.
Types of cloud service offerings
IaaS (Infrastructure as a Service) — In this offering, the cloud providers offer barebone hardware in managed data center such as virtual machine or file storage. The cloud providers will take care of the physical infrastructure e.g. data center security or hardware repair, while the cloud users need to take care of server maintenance. For example, Azure VM allows the users to spin up new virtual machines in any size.
PaaS (Platform as a Service) — The cloud providers will take care of the servers. The cloud users only need to bring in application code or data. For example, Azure SQL Database is fully managed service by Azure that the users do not need to / cannot access anything beyond their data.
SaaS (Software as a Service) — The cloud providers will take care of both servers and code. The cloud users only need to configure the software to suit their needs. For example, Office 365 allows the users to use Microsoft Office software suite.
Differences in cloud deployment model:
Public Cloud — When the companies decided to use all their servers from the cloud providers’ data center.
Private Cloud — When the companies decided to use all their servers on their own data center to replicate the cloud services e.g. offering self-service components.
Hybrid Cloud — When the companies decided to use some of the servers in their own data center, and some of the servers in public cloud.
Subscriptions and Management
Top Level Organization and Components
1. Management Groups
3. Resource Groups
Management groups: These groups help you manage access, policy, and compliance for multiple subscriptions. All subscriptions in a management group automatically inherit the conditions applied to the management group. **AD Groups**
Subscriptions: A subscription groups together user accounts and the resources that have been created by those user accounts. For each subscription, there are limits or quotas on the amount of resources that you can create and use. Organizations can use subscriptions to manage costs and the resources that are created by users, teams, or projects.
Resource groups: Resources are combined into resource groups, which act as a logical container into which Azure resources like web apps, databases, and storage accounts are deployed and managed. When you delete one the resources inside will be deleted
Resources: Resources are instances of services that you create, like virtual machines, storage, or SQL databases.
You may want to make additional subscriptions for the purpose of separating:
- Environments: When managing your resources, you can choose to create subscriptions to set up separate environments for development and testing, security, or to isolate data for compliance reasons. This design is particularly useful because resource access control occurs at the subscription level.
- Organizational structures: You can create subscriptions to reflect different organizational structures. For example, you could limit a team to lower-cost resources, while allowing the IT department a full range. This design allows you to manage and control access to the resources that users provision within each subscription.
- Billing: You might want to also create additional subscriptions for billing purposes. Because costs are first aggregated at the subscription level, you might want to create subscriptions to manage and track costs based on your needs. For instance, you might want to create one subscription for your production workloads and another subscription for your development and testing workloads.
Regions and Availability
Regions: A region is a geographical area on the planet that contains at least one but potentially multiple datacenters that are nearby and networked together with a low-latency network.
- 5 geographies, each with 2 or more regions
- There are 50+ regions total, 140+ countries
- There can be many data centers in a single region
- There are 3 regions reserved for the US Gov and contractors!
Pairing: Each region of azure has a backup region. This is a backup for all of the infrastructure in that region.
Availability Zones: Availability zones are physically separate datacenter units within an Azure region. They are made up of one or more datacenters. They have independent networking, cooling, etc. as well as the ability to stagger upgrade so that it will stay up even if an upgrade goes wrong.
Azure APIs + Resource Manager
Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features like access control, locks, and tags to secure and organize your resources after deployment.
This part contains the introduction to different service offerings in Azure for each service category.
Cosmos DB : Globally available database built on azure. Relational or non-relational data.
- Globally distributed
- Schema-less (noSQL)
- Stores in ARS (atm record sequence) format
Azure SQL Database: Azure SQL Database is a relational database based on the latest stable version of the Microsoft SQL Server database engine.
- Relational DB
- upgrading, patching, backups, and monitoring, without user involvement.
- Has the migration tool which allows you to migrate more quickly
Azure SQL Managed Instance: Azure SQL Managed Instance is a scalable cloud data service that provides the broadest SQL Server database engine compatibility with all the benefits of a fully managed platform as a service.
- Broader support for SQL with a few fewer features.
- Better for tricky migrations
Azure database for MySQL:Azure Database for MySQL is a relational database service in the cloud, and it’s based on the MySQL Community Edition database engine, versions 5.6, 5.7, and 8.0.
Azure Database for PostgreSQL is a managed PostGresSQL instance. There are three pricing tiers: Basic, General Purpose, and Memory Optimized. Each tier offers different resource capabilities to support your database workloads.
Azure SQL DataWarehouse: runs complex queries on giant data sets
Azure Data Migration Service: migrate DBs from onprem to cloud
Big Data & Analytics
Azure Synapse analytics: basic analytics service that brings together enterprise data warehousing and big data analytics. You can query data on your terms by using either serverless or provisioned resources at scale.
Azure HDInsight: Patform for running analytics tools like Spark, Hadoop and Kafka in Azure.
Azure Databricks: more streamlined dashboard building AI solutions.
Axure data lake analytics: Big data storage.
Azure Virtual Machine: running on a hypervisor OS, processor, storage, networking
VM Scale Set: Identical VMs running on the same scale set. Automatically adds identical VMs. used for large scale deployments
Azure App Service: PaaS for when you only want to deploy an API or a backend application. Web apps, API apps, webJobs, Mobile apps. App Service enables you to build and host web apps, background jobs, mobile back-ends, and RESTful APIs in the programming language of your choice without managing infrastructure.
Container Services: Docker, etc. and Orchestration Services: Azure container instances. A resource group that essentially runs your container Kubernetes services. A managed group of containers which can then be monitered/modified by azure
Serverless computing is the abstraction of servers, infrastructure, and operating systems. With serverless computing, Azure takes care of managing the server infrastructure and the allocation and deallocation of resources based on demand. Infrastructure isn’t your responsibility. Scaling and performance are handled automatically. You’re billed only for the exact resources you use.
Azure Functions: Pay as you go code execution environment. Functions can execute code in almost any modern language.
- Abstraction of servers
- Event driven scale
Azure Logic Apps: Logic apps are designed in a web-based designer and can execute logic triggered by Azure services without writing any code.
- Write the workflow using a GUI
- Execute a workflow, IE when a request for service comes in on zendesk, send the ticket to IT. etc.
Windows Virtual Desktop on Azure is a desktop and application virtualization service that runs on the cloud. It enables your users to use a cloud-hosted version of Windows from any location. Windows Virtual Desktop works across devices like Windows, Mac, iOS, Android, and Linux. It works with apps that you can use to access remote desktops and apps. You can also use most modern browsers to access Windows Virtual Desktop-hosted experiences.
- Uses AD for access management
- Uses azure alerts to manage alerts
- Host pools are groups of VMs with the same config for multiple users
- Multi-session windows 10 : A VM allowing multiple users to use a angle VM. wow!
Structured, Semi-structured, unstructured data. All of these start from a storage account resource.
Azure Blob Storage: Azure Blob Storage is an object storage solution for the cloud. It can store massive amounts of data, such as text or binary data. Azure Blob Storage is unstructured, meaning that there are no restrictions on the kinds of data it can hold. Blob Storage can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files, and can be reached from anywhere with an internet connection.
Disk Storage: Disk Storage provides disks for Azure virtual machines. persistent storage, unstructured. Data disk (persists) and the OS disk (not persistent)
File Storage: Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block and Network File System (preview) protocols. Azure file shares can be mounted concurrently by cloud or on-premises deployments of Windows, Linux, and macOS.
Archive Storage: Industry leading price point for storing rarely accessed data
Data Lake Storage: Azure Data Lake Analytics is an on-demand analytics job service that simplifies big data.
Core component of the private network. Enables resources to communicate. Has an address space like 126.96.36.199/16. Segmented into subnet. Resources like VMs assigned to subnets, but can communicate across the whole network. Other resources can be deployed to a subnet, like networking components (firewalls, von gateways), data components (SQL managed instance, even app services). Resources from one VNet can’t communicate with other vnets, except through vnet peering. Vnets can communicate outward, but cannot be communicated with unless you make an external IP.
Connecting Azure resources together: You’ll want to enable Azure resources to communicate securely with each other. You can do that in one of two ways:
- Virtual Networks: Virtual networks can connect not only VMs but other Azure resources, such as the App Service Environment for Power Apps, Azure Kubernetes Service, and Azure virtual machine scale sets.
- Service endpoints: You can use service endpoints to connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resources to virtual networks to improve security and provide optimal routing between resources.
Connecting to On-prem Resources: Azure virtual networks enable you to link resources together in your on-premises environment and within your Azure subscription. In effect, you can create a network that spans both your local and cloud environments. There are three mechanisms for you to achieve this connectivity:
- Point-to-site virtual private networks: This approach is like a virtual private network (VPN) connection that a computer outside your organization makes back into your corporate network, except that it’s working in the opposite direction. In this case, the client computer initiates an encrypted VPN connection to Azure to connect that computer to the Azure virtual network.
- Site-to-site virtual private networks: A site-to-site VPN links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet.
- Azure ExpressRoute: For environments where you need greater bandwidth and even higher levels of security, Azure ExpressRoute is the best approach. ExpressRoute provides dedicated private connectivity to Azure that doesn’t travel over the internet. (You’ll learn more about ExpressRoute in a separate unit later in this module.)
Routing Network Traffic: By default, Azure routes traffic between subnets on any connected virtual networks, on-premises networks, and the internet. You also can control routing and override those settings, as follows:
- Route tables: A route table allows you to define rules about how traffic should be directed. You can create custom route tables that control how packets are routed between subnets.
- Border Gateway Protocol: Border Gateway Protocol (BGP) works with Azure VPN gateways or ExpressRoute to propagate on-premises BGP routes to Azure virtual networks.
Connecting VNets Together: You can link virtual networks together by using virtual network peering. Peering enables resources in each virtual network to communicate with each other. These virtual networks can be in separate regions, which allows you to create a global interconnected network through Azure.
UDR is user-defined Routing. UDR is a significant update to Azure’s Virtual Networks as this allows network admins to control the routing tables between subnets within a subnet as well as between VNets thereby allowing for greater control over network traffic flow.
VPN Gateway: A VPN gateway is a type of virtual network gateway. Azure VPN Gateway instances are deployed in Azure Virtual Network instances and enable the following connectivity:
- Connect on-premises datacenters to virtual networks through a site-to-site connection.
- Connect individual devices to virtual networks through a point-to-site connection.
- Connect virtual networks to other virtual networks through a network-to-network connection.
Policy based or Route-based Gateways: When you deploy a VPN gateway, you specify the VPN type: either policy-based or route-based. The main difference between these two types of VPNs is how traffic to be encrypted is specified. In Azure, both types of VPN gateways use a pre-shared key as the only method of authentication. Both types also rely on Internet Key Exchange (IKE) in either version 1 or version 2 and Internet Protocol Security (IPSec). IKE is used to set up a security association (an agreement of the encryption) between two endpoints. This association is then passed to the IPSec suite, which encrypts and decrypts data packets encapsulated in the VPN tunnel.
Expressroute: Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a colocation facility. ExpressRoute connections don’t go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet. For information on how to connect your network to Microsoft using ExpressRoute, see ExpressRoute connectivity models.
Load Balancer: balance traffic, internal and external (internet-facing). Public load balancers:
VPN Gateway: encrypted tunnel between networks + machines, onprem, etc.
Application Gateway: web only load balancer. Can do SSL termination, autoscaling, session affinity, HTTP header rewriting. WAF (web application firewall)
Content Delivery Network: caches html css, as well as blob storage + media files. The origin server content is cached on an edge server. xyz.azureedge.net.
Networking a hybrid Network: Use a VPN Gateway. Deployed to an individual machine in a subnet. You can use Expressroute, but you’ll need your own device for site-to-site VPN. Point to site connection can connect a single machine to the VPN.
Network Security Group: attach NSGs to an individual subnet. Contain security rules controlling the traffic. Sort of like a simple firewall.
ExpressRoute: Connect your on-prem resources to cloud resources. https://docs.microsoft.com/en-us/learn/modules/azure-networking-fundamentals/express-route-fundamentals
Common Network Setup Example: VNET, Network Security Group, App Gateway, and 2 VMs, along with the disk resource for vms, storage account to store disks + network interfaces to associate VMs with Vnet.
- VNet shows the range of addresses. Subnet for VMs, subnet for VMs, for app gateway, subnet for mgmt. DNS servers configured here as well.
- NSG: one per Vnet. defines the traffic that’s allowed. Allowed from load balancer to any VM, Allowed from anywhere in Vnet to anywhere in vnet.
- App gateway: Has a public IP address. Has a DNS name label (appgatewayexample.cloudapp.azure.com) static IP address so you can add more gateways as needed.
Internet of Things (IoT)
Azure IoT Hub: central message hub for iot devices
IoT Central: SaaS to monitor + manage iot devices
Azure sphere: security / auth built in microchip e2e solution
Azure ML service: machine learning to build models
ML Studio: Visual ML model builder GUI
- Azure CLI
If windows experience, then use the AZ powershell, If not (linux experience) then use the AZ CLI, Use the mobile App for continued connectivity, and use ARM templates to quickly duplicate or scale infrastructure (set up duplicate resources, etc.)
Azure service for deploying ready to use services by Azure or the 3rd party.
This section is a hypothetical example running you through the tools you would use if you were the IT department of a fictional company called Tailwind Traders, for application development, hosting, and reporting using the Azure tools + resources.
For Machine learning + AI, Tailwind Traders should use Azure Machine Learning for decision support systems, Cognitive Services for data analysis, and Bot Service for interactive chat experiences.
For their Develops and Dev Process, Tailwind should use Azure DevOps to manage the application development lifecycle, GitHub to contribute to open-source software, Azure DevTest Labs to manage testing environments2 min
For monitoring and reporting, Tailwind should use Azure Advisor, Azure Monitor Azure Service Health
For making changes to resources, Tailwind should use the Azure portal to visually understand and manage your cloud environment, Azure PowerShell for one-off administrative tasks, the Azure CLI for one-off administrative tasks, and the Azure mobile app to manage Azure on the go. They can also use ARM templates to deploy an entire cloud infrastructure.
Security Center + Tools
Security Center is a monitoring service that provides visibility of your security posture across all of your services, both on Azure and on-premises. The term security posture refers to cybersecurity policies and controls, as well as how well you can predict, prevent, and respond to security threats. You can view your compliance here
Azure Sentinel is Microsoft’s cloud-based SIEM system. It uses intelligent security analytics and threat analysis. A SIEM system aggregates security data from many different sources (as long as those sources support an open-standard logging format). It also provides capabilities for threat detection and response. This is used for large scale security efforts across many resources + subscriptions. Workbooks can be used to create a visual canvas for security reporting.
Azure Key Vault s a centralized cloud service for storing an application’s secrets in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities. You can use it to manage passwords and API keys that you do not want exposed to the internet.
The Defense in depth (DID) Model describes the layers of defence of your applications resources. Each of these layers has different strategies that can be used to increase security posture. Security posture is an organization’s ability to protect from and respond to security threats. The layers of defense are as follows:
- The physical security layer is the first line of defense to protect computing hardware in the datacenter.
- The identity and access layer controls access to infrastructure and change control.
- The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
- The network layer limits communication between resources through segmentation and access controls.
- The compute layer secures access to virtual machines.
- The application layer helps ensure that applications are secure and free of security vulnerabilities.
- The data layer controls access to business and customer data that you need to protect.
DDoS Protection: Every property in Azure is protected by Azure’s infrastructure DDoS (Basic) Protection at no additional cost. The scale and capacity of the globally deployed Azure network provides defense against common network-layer attacks through always-on traffic monitoring and real-time mitigation.
Azure Firewall is a managed, cloud-based network security service that helps protect resources in your Azure virtual networks. A virtual network is similar to a traditional network that you’d operate in your own datacenter. It’s a fundamental building block for your private network that enables virtual machines and other compute resources to securely communicate with each other, the internet, and on-premises networks.
Network security group: enables you to filter network traffic to and from Azure resources within an Azure virtual network. You can think of NSGs like an internal firewall. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
General Security Rules
Secure the perimeter layer: The perimeter layer is about protecting your organization’s resources from network-based attacks. Identifying these attacks, alerting the appropriate security teams, and eliminating their impact are important to keeping your network secure. To do this:
Deny by default: Restrict inbound internet access and limit outbound where appropriate.
Implement secure connectivity to on-premises networks.
Combine services: You can combine Azure networking and security services to manage your network security and provide increased layered protection. Here are two ways you can combine services:
Network security groups and Azure Firewall: Azure Firewall complements the functionality of network security groups. Together, they provide better defense-in-depth network security.
Azure Application Gateway web application firewall and Azure Firewall: Web application firewall (WAF) is a feature of Azure Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities.
This part contains the security Azure provided for their services as well as Azure’s commitment in privacy and regulatory compliance. Understanding who is using your systems and what they have permission to do are critical to keeping your data safe from attackers. To stay organized, manage costs, and meet your compliance goals, you need a good cloud governance strategy.
Learn how Azure can help you secure access to cloud resources, what it means to build a cloud governance strategy, and how Azure adheres to common regulatory and compliance standards.
Authentication and Authorization
Authentication: Authentication is the process of establishing the identity of a person or service that wants to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control. It establishes whether the user is who they say they are.
Authorization: Authentication establishes the user’s identity, but authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they’re allowed to access and what they can do with it.
Azure Identity Services: Azure AD helps users access both external and internal resources. External resources might include Microsoft Office 365, the Azure portal, and thousands of other software as a service (SaaS) applications. Internal resources might include apps on your corporate network and intranet, along with any cloud applications developed within your organization.
Azure Active Directory (Azure AD) provides identity services that enable your users to sign in and access both Microsoft cloud applications and cloud applications that you develop. You also learn how Azure AD supports single sign-on (SSO).
When you secure identities on-premises with Active Directory, Microsoft doesn’t monitor sign-in attempts. When you connect Active Directory with Azure AD, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost. For example, Azure AD can detect sign-in attempts from unexpected locations or unknown devices.
Tenants: A tenant is a representation of an organization. A tenant is typically separated from other tenants and has its own identity. Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an Azure AD tenant.
Services of Azure AD
- Authentication: This includes verifying identity to access applications and resources. It also includes providing functionality such as self-service password reset, multifactor authentication, a custom list of banned passwords, and smart lockout services.
- Single sign-on: SSO enables you to remember only one username and one password to access multiple applications. A single identity is tied to a user, which simplifies the security model. As users change roles or leave an organization, access modifications are tied to that identity, which greatly reduces the effort needed to change or disable accounts.
- Application management: You can manage your cloud and on-premises apps by using Azure AD. Features like Application Proxy, SaaS apps, the My Apps portal (also called the access panel), and single-sign on provide a better user experience.
- Device management: Along with accounts for individual people, Azure AD supports the registration of devices. Registration enables devices to be managed through tools like Microsoft Intune. It also allows for device-based conditional access policies to restrict access attempts to only those coming from known devices, regardless of the requesting user account.
MFA and Conditional Access
MFA: Azure AD Multi-Factor Authentication is a Microsoft service that provides multifactor authentication capabilities. Azure AD Multi-Factor Authentication enables users to choose an additional form of authentication during sign-in, such as a phone call or mobile app notification.
Conditional Access: Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.
Cloud Adoption Framework + Choosing the Right Strategy:
The Cloud Adoption Framework for Azure provides you with proven guidance to help with your cloud adoption journey. The Cloud Adoption Framework helps you create and implement the business and technology strategies needed to succeed in the cloud.
Teams often start their Azure governance strategy at the subscription level. There are three main aspects to consider when you create and manage subscriptions: billing, access control, and subscription limits.
- Billing: One bill report per subs.
- Access Control : Every subscription is associated with an Azure Active Directory tenant. Each tenant provides administrators the ability to set granular access through defined roles by using Azure role-based access control.
- Subscription Limits: Subscriptions also have some resource limitations. For example, the maximum number of network Azure ExpressRoute circuits per subscription is 10
Granular access to resources based on scope.
- A management group (a collection of multiple subscriptions).
- A single subscription.
- A resource group.
- A single resource.
Use Azure RBAC when you need to:
- Allow one user to manage VMs in a subscription and another user to manage virtual networks.
- Allow a database administrator group to manage SQL databases in a subscription.
- Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets.
- Allow an application to access all resources in a resource group.
Resource Controls + Structure
Resource Locks: A resource lock prevents resources from being accidentally deleted or changed. Even with Azure role-based access control (Azure RBAC) policies in place, there’s still a risk that people with the right level of access could delete critical cloud resources. Think of a resource lock as a warning system that reminds you that a resource should not be deleted or changed. CannotDelete, CannotEdit.
Instead of having to configure features like Azure Policy for each new subscription, with Azure Blueprints you can define a repeatable set of governance tools and standard Azure resources that your organization requires. In this way, development teams can rapidly build and deploy new environments with the knowledge that they’re building within organizational compliance with a set of built-in components that speed the development and deployment phases.
Resource tags provide extra information, or metadata, about your resources. An example tagging structure: A resource tag consists of a name and a value. You can assign one or more tags to each Azure resource.
Azure Policies & Initiatives:
Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules and effects over your resource configurations so that those configurations stay compliant with corporate standards. Initiatives are a group of policies. Advantages of using policies are:
- Enforce rules over azure resources. Examples: Only allow VM creation in one region or specific SKU. CORS should not allow every resource to access your web applications.
- Reduce the time needed to audit your environments by having all your compliance data in a single place. Set guardrails throughout your resources to help ensure cloud compliance, avoid misconfigurations, and practice consistent resource governance. Reduce the number of external approval processes by implementing policies at the core of the Azure platform for increased developer productivity. Control and optimize your cloud spend to get more value from your investment.
Cloud governance requires good analysis and requirement gathering. Luckily, the Cloud Adoption Framework for Azure can help you define and implement your governance strategy. There are several services and features in Azure to support these efforts:
Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources.
Azure Blueprints enables you to define a repeatable set of governance tools and standard Azure resources that your organization requires.
Learn about the factors that influence cost, tools you can use to help estimate and manage your cloud spend, and how Azure’s service-level agreements (SLAs) can impact your application design decisions.
TCO Calculator: The service to compare the cloud cost with the Total Cost of Ownership e.g. how much you need to spend if you are to build the same infrastructure in your own data center.
The website where the potential customers can plan their cost before moving to Azure cloud
Azure Cost Management: Azure free service which shows how much have we spent in this billing period, and also provide the best practices to optimise the cost
Azure Advisor Azure free service which provides the recommendations in high availability, security, performance, and cost based on Azure products we are using
Azure Subscription Types
Free: New users will receive $200 credits to spend on any Azure products in the first 30 days. We will also receive free access to popular Azure products for the first 12 months, and the free access to free products forever. This type of subscript require credit card details, but nothing will be charged until we decide to upgrade to pay-as-you-go subscription.
Pay-as-you-go (PAYG): Charge monthly for the services used in the last billing period. This type is used by individuals and businesses.
Enterprise Agreement : Enterprises can make an agreement with Azure which would allow discounted price for software license and Azure services.
Student: Students will receive $100 credit to spend in the first 12 months. No credit card required for this subscription type, but the student email verification is required.
Purchasing Azure Services
Through an Enterprise Agreement: Larger customers, known as enterprise customers, can sign an Enterprise Agreement with Microsoft. This agreement commits them to spending a predetermined amount on Azure services over a period of three years. The service fee is typically paid annually. As an Enterprise Agreement customer, you’ll receive the best customized pricing based on the kinds and amounts of services you plan on using.
Directly from the web: Here, you purchase Azure services directly from the Azure portal website and pay standard prices. You’re billed monthly, as a credit card payment or through an invoice. This purchasing method is known as Web Direct.
Through a Cloud Solution Provider: A Cloud Solution Provider (CSP) is a Microsoft Partner who helps you build solutions on top of Azure. Your CSP bills you for your Azure usage at a price they determine. They also answer your support questions and escalate them to Microsoft, as needed.
Cost Factors of Azure services:
Resource Types: Different Azure products will have different pricing e.g. Azure VM cost will be based on the virtual machine size, operating system, usage hours, and storage size. The users can turn off virtual machine temporarily to save usage hours cost, but the storage cost will always incur.
Subscription Types: Most users will pay the standard price, while the enterprise customers may have discounted or stable cost.
Locations: For some resource types, the cost will vary based on the server locations. For example, Azure VM in Japan data center might cost more than in US data center.
Inbound and Outbound traffic. Movement of data between different data center (availability zones) or regions might incur cost.
Manage and Minimize Costs
These are Azure recommended ways to minimize costs. A few are highlighted in more detail below:
- Understand estimated costs before you deploy
- Use Azure Advisor to monitor your usage
- Use spending limits to restrict your spending: Applied at the subscription level
- Use Azure Reservations to prepay
- Choose low-cost locations and regions
- Research available cost-saving offers
Use Azure Cost Management + Billing to control spending: Azure Cost Management + Billing is a free service that helps you understand your Azure bill, manage your account and subscriptions, monitor and control Azure spending, and optimize resource use.
Resize underutilized virtual machines: As an example, say you have a VM whose size is Standard_D4_v4, a general-purpose VM type with four vCPUs and 16 GB of memory. You might discover that this VM is idle 90 percent of the time.
Migrate from IaaS to PaaS services
Choose cost-effective operating systems
Service Level Agreement (SLA)
SLA is the minimum time that Azure commit the service will be available to use. If the service is offline for longer time than SLA, Azure will provide credits for the customers.Azure offers 99.9% SLA on most Azure products. You can access SLAs from Service Level Agreements.
SLA and Downtime
Most SLAs have following sections:
Introduction This section explains what to expect in the SLA, including its scope and how subscription renewals can affect the terms.
General terms This section contains terms that are used throughout the SLA so that both parties (you and Microsoft) have a consistent vocabulary. For example, this section might define what’s meant by downtime, incidents, and error codes. This section also defines the general terms of the agreement, including how to submit a claim, receive credit for any performance or availability issues, and limitations of the agreement.
SLA details: This section defines the specific guarantees for the service. Performance commitments are commonly measured as a percentage. That percentage typically ranges from 99.9 percent (“three nines”) to 99.99 percent (“four nines”). The primary performance commitment typically focuses on uptime, or the percentage of time that a product or service is successfully operational. Some SLAs focus on other factors as well, including latency, or how fast the service must respond to a request.
Service Credit: A service credit is the percentage of the fees you paid that are credited back to you according to the claim approval process.
There are some cases that the SLA can be increased. For example, Azure guarantees 99.99% SLA for the virtual machines that have more than one instance across more than one region.
Outages: Azure status provides a global view of the health of Azure services and regions. If you suspect there’s an outage, this is often a good place to start your investigation.
Define Your SLA
Computing the total (aggregate) SLA: After you’ve identified the SLA for the individual workloads in the Special Orders application, you might notice that those SLAs are not all the same. How does this affect our overall application SLA requirement of 99.9 percent? To work that out, you’ll need to do some math.
Improve the SLA to meet reqs: Deploying two or more instances of an Azure virtual machine across two or more availability zones raises the virtual machine SLA to 99.99 percent. Recalculating your composite SLA above with this Virtual Machines SLA gives you an application SLA of 99.6%
New Features on Azure
Development → Public Preview → General Availibility
Most new features in Azure will be launched as private preview for limited users, then public preview for all the usersAfter the feature has been thoroughly tested, it will be out of preview and become generally availability feature (GA).
Azure provides Preview Portal for the users to test out new features for Azure portal. For other features that are not related to the portal, the users can access them from standard Azure portal.