Formation Certifiante

Microsoft Cloud Fundamentals

(AZ-900)
Elaboré par : Mohamed Chiheb BEN CHAABANE (Enseignant en TIC)

Date : 11, 12 novembre 2024

Contents at a glance

• Describe cloud concepts (25–30%)

• Describe Azure architecture and services (35–40%)
• Describe Azure management and governance (30–35%)

2
 Section A : Describe Cloud concepts

• Describe Cloud computing

• Describe the benefits of using Cloud services
• Describe Cloud service types

3
 Section A.I : Describe Cloud computing
• What is Cloud Computing ?
• Shared Responsibility Model
• Cloud models :public, private, hybrid
• Identify use cases for each cloud model
• Consumption-based model
• Compare Cloud pricing models
• Describe Serverless

4
A.I.1 What is Cloud Computing ?
• “Cloud computing is a model for enabling ubiquitous, convenient, on-
demand network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and services) that
can be rapidly provisioned and released with minimal management effort
or service provider interaction. This cloud model is composed of five
essential characteristics, three service models, and four deployment
models.” (NIST* Definition).

5
A.I.1.1 Cloud Characteristics
1. On-demand self-service: Users can provision automatically computing resources without
human interaction.

2. Broad network access: Resources can be accessible through a panoply of devices :

smartphones, tablets, laptops, and workstations).

3. Resource pooling: The provider’s computing resources are pooled to serve multiple consumers
using a multi-tenant model, with different physical and virtual resources dynamically assigned
and reassigned according to consumer demand.

4. Rapid elasticity: Capabilities can be elastically provisioned and released automatically.

5. Measured service: Cloud systems automatically control and optimize resource use by
leveraging a metering capability at some level of abstraction appropriate to the type of service
(e.g., storage, processing, bandwidth, and active user accounts).

6
A.I.2 Shared Responsibility Model
• Determines the responsibility of each party: Client and Cloud Provider:
on which resources?

7
A.I.3.1 Cloud models : IaaS
• IaaS (Infrastructure as a Service) : is the cheapest Cloud Model,
useful for small and medium businesses.
• Cloud Provider offers the : physical infrastructure (servers, network,
datacenter, etc..).
• Client manages all the rest : Apps, Operating System,
Configurations, etc..

• USE CASE 1 : A company that uses specific OS that is not available on

the Cloud Platform.
• USE CASE 2 : A company that uses specific equipments that is not
available on the Cloud Platform (IoT, Sensors, Robotics, ..)

8
A.I.3.2 Cloud models : PaaS
• PaaS (Platform as a Service) : is more expensive than IaaS Cloud
Model, useful for medium businesses.
• Cloud Provider offers the : physical infrastructure + OS + DBMS +
Middleware..
• Client manages all the rest :Configurations (OS, DBMS, etc..) + Apps

• USE CASE 1 : A company wants to accelerate his workloads...

• USE CASE 2 : A company that uses specific/own apps that are not
available on the Cloud Platform (ERPs, Medical Apps, etc..)

9
A.I.3.3 Cloud models : SaaS
• SaaS (Software as a Service) : is the most expensive Cloud Model,
generally useful for large businesses (multinational holdings).
• Cloud Provider offers the : physical infrastructure + OS + DBMS +
Middleware + Apps + Specific Software (ERPs) + etc..).
• Client manages : Some Configurations (Users, Roles) + Data.

• USE CASE 1 : A company with multiple workloads wants to optimize

its charges...
• USE CASE 2 : A company that uses common Apps and ERPs that are
available on the Cloud Platform.

10
A.I.3.4 Cloud models : IaaS vs PaaS vs SaaS

IaaS PaaS SaaS

No control over
Complete control over Control over the infrastructure; limited
Control Level
hardware and OS applications and data control over applications
and data
Self-managed Fully managed service;
Managed platform; users
Management infrastructure; vendors users only manage their
manage applications
manage physical hardware specific data
Limited to the provided Not customizable; set
Customization Highly customizable
platform functionality

Developers and Businesses looking for

Organizations with
businesses that want to out-of-the-box solutions
Best for… specific IT infrastructure
reduce coding and app with minimal internal IT
needs
hosting complexity needs
11
A.I.4.1 Cloud types : Public Cloud
• Public Cloud : Services available from a Cloud Provider and offered to a Client
(Physical/Moral=Enterprise).
• A Client can migrate ALL his workloads to Cloud..
• Client is subject to a pricing model to acquire Cloud Services.
• Among Public Cloud Providers :
1. Google (SaaS)
2. Azure (PaaS)
3. AWS (PaaS)
4. OVH (IaaS)
5. ETC..

• Tunisie TELECOM is the first Tunisian Public Cloud Provider dedicated to

Businesses

12
A.I.4.2 Cloud types : Hybrid Cloud
• Hybrid Cloud : Services available from a Cloud Provider and offered
to a Client (Physical/Moral Enterprise).
• A Client can migrate A PART of his workloads to Cloud..
• Reason(s) :
• A company is restricted by regulations and conformities..
• A company uses specific hardware equipments that cannot be
virtualized!! (not available on Cloud Platform).

13
A.I.4.3 Cloud types : Private Cloud
• Private Cloud : Services are Cloudified (virtualized) and remain in the
from a Cloud Provider and offered to a Client (Physical/Moral
Enterprise).
• Client keeps ALL his workloads in his Datacenters/Servers..
• Reason(s) :
• A company is restricted by regulations and conformities..
• Services are critical (Military, Intelligence Services, etc..) !!
• Workloads must ONLY be shared in a Community (ex: Research Lab,
etc..)

14
A.I.5.1 Consumption-based model
• Known also as “Pay-As-You-Go” model, Client is charged only for his
actual use.

• Common Advantages :
1. Flexibility : No long-term commitments.
2. Scalability : expenses can go down/up (adjusted) depending on
usage.
3. Cost Control : A business can monitor costs periodically.
4. Predictable Billing : Manage Budgets more effectively.

15
A.I.5.2 Subscription-based model
• Client is paying a recurring fee (upfront), in a period (monthly or
annually) to benefit from a service/product.
• Services requiring this model : Office365, NetFlix, Adobe CC,
Spotify, ..

• Common Advantages :
• Well-suited for long-term commitment(s).
• Billing made easier.
• Predictable Revenue.
• Etc..
16
A.I.5.3 Subscription-based model types
• Freemium : offers basic services for free and paid premium services.
Example : LinkedIn, Spotify, etc..
• Hybrid : Combines elements of different subscription models, often
blending product and service subscriptions or adding membership
benefits. Example : Amazon Prime, Apple One, etc..
• Flat-rate pricing : A pricing model where a single, fixed fee is charged
for a specific product or service, regardless of usage or time spent.
Example : Office365, etc..
• Tiered pricing : (or volume-based pricing) is a pricing strategy where
the price of a product or service varies based on the quantity or
volume purchased. Example : Amazon EC2, etc..
17
A.I.5.4 Subscription-based vs Consumption-based
models
Aspect Consumption-Based Model Subscription-Based Model

Payment Pay a fixed fee for a set package of

Structure
Pay for actual usage
services

Highly scalable, adjust usage as Limited to the resources in the

Scalability
needed package

Predictability Less predictable, varies with usage More predictable, fixed cost

Steady workloads with predictable

Suitable for Variable workloads, temporary spikes
usage

18
 A.I.5.5 Pay-As-You-Go pricing model
• The Pay-As-You-Go pricing model is one of the most straightforward
(basic)
• Customers pay for the computing resources as they use them, with
prices determined per hour or per minute, depending on the
resource.
• This model provides flexibility because there is no upfront
commitment; users can scale services up or down as needed.
• For example, Azure Virtual Machines are billed per second, and
services like Azure Functions are billed per execution and the total
execution time.

19
 A.I.5.6 Reserved Instances pricing model
• This pricing model allows customers to reserve virtual machines (VMs)
on a 1-3 year term.
• By committing to a long-term contract, customers receive a
significant discount on the regular price of the VMs compared to the
Pay-As-You-Go model. This can result in savings of up to 72%.
• For instance, a D2s v3 virtual machine in West US region under Pay-As-
You-Go might cost around $0.096/hour, while the same machine
under a 3-year Reserved Instance could drop to approximately
$0.062/hour.

20
 A.I.5.7 Spot Pricing model
• Spot pricing applies to unused Azure capacity.
• Spot pricing is ideal for workloads that are tolerant to interruptions,
such as batch processing jobs.
• Using Azure pricing calculator, you can compare the cost of a Spot
instance to that of the same instance under the Pay-As-You-Go model.
• The transient nature of Spot instances means the prices are variable
and subject to change.
• → Azure can reclaim these resources at any time with very short
notice if the capacity is needed for other customers.

21
 A.I.5.8 Azure Hybrid Benefit Pricing model
• The Azure Hybrid Benefit is a pricing model designed for customers
with existing Microsoft licenses.
• It allows the use of those licenses for Azure services at a reduced cost,
incorporating a bring-your-own-license (BYOL) approach.
• For example, customers with on-premises Windows Server or SQL
Server licenses can use them to run virtual machines in Azure and
save on compute costs.

22
 A.I.5.9 Free Tier Pricing model
• For new users, Azure provides a Free Tier, which includes certain
services free for 12 months plus a limited amount of free services
monthly.
• This does not require a commitment other than signing up for an Azure
account.
• Azure Pack Student is a form of Free Tier.
• Examples of services included in the Free Tier are:
• A limited amount of Azure Cosmos DB capacity.
• Certain numbers of Azure Functions executions per month.
• A small instance of Entra ID with a limited number of objects.

23
 A.I.5.10 Pricing models comparison table

Pricing Model Example Cost Commitment Ideal Use Case

Flexible, variable
Pay-As-You-Go $0.096/hour None
workloads
Predictable, steady
Reserved Instances $0.062/hour (3yr) 1-3 years
workloads
Interruptible, batch
Spot Pricing Variable None
processing
Existing Microsoft
Azure Hybrid Benefit Varies (based on BYOL) Varies
license holders
Trying out Azure, small
Free Tier $0/month None
projects

24
 A.I.6. Serverless computing
• Enables developers to build applications faster by eliminating the need
to manage infrastructure.
• With serverless applications, the cloud service provider automatically
provisions, scales, and manages the infrastructure required to run the
code.
• This phenomenon is fit to DevOps approach.
• Applied by Azure Functions.

• Benefits :
• Faster and more productive development teams.
• Fewer operational overheads for DevOps teams.
• More significant innovation.
• Quicker time to value and ROI for development resources.
25
 Section A.II : Benefits of using cloud services

• Describe the benefits of high availability and scalability in the cloud

• Describe the benefits of reliability and predictability in the cloud
• Describe the benefits of security and governance in the cloud
• Describe the benefits of manageability in the cloud

26
 A.II.1. Benefits of High Availability (HA)
• High availability (HA) is the ability of a system/service to remain
accessible and operational over a given period of time, despite any
hardware/software failures that might arise.

• Benefits :
• Improved Business Continuity → More Productivity.
• Reduced Downtime.
• Enhanced Customer Satisfaction.

27
 A.II.2.1 Benefits of Scalability
• Scalability is the ability of a system to handle increased load by
adding resources, either vertically (by adding more resources to
existing machines) or horizontally (by adding more VMs)..

• Benefits :
• Enhanced Performance → improved response times.
• Increased Throughput: ability to process more data and transactions.

28
 A.II.2.2 Horizontal vs Vertical Scalability
• Horizontal scaling refers to adding nodes (servers, clusters, VMs..)
• Vertical scaling refers to increase/decrease the capacity of existing
services/instances by adding memory (RAM), storage, network, or
processing power (CPU).

29
 A.II.2.3 Horizontal vs Vertical Scalability
Aspect Horizontal Scaling Vertical Scaling
Scaling Operations Scale in/out Scale up/down
Scaling Model Stateless server scaling model Stateful server scaling model
Complexity and Maintenance Higher Lower
Cost Higher cost with licensing fees Lower cost with licensing fees
Downtime Less downtime possible Physical limit of downtime
Resize More easily resizable according to needs Challenging to manage when scaled down
Boost the power of individual servers with
Power Increase the power of the separate server
the existing server
Architecture Distributed Any
The workload is in the manner of multi-
Workload The workload is spread over the servers
core machines
Data Data is partitioned Data is stored on a single node
Efficiency Optimal Suboptimal
30
 A.II.3.1 Benefits of Reliability
• Reliability refers to the ability of a cloud system to consistently
perform and deliver services as expected, without interruptions or
failures..
• Reliability components are defined in the Cloud agreement.
• Example of components : SLA, Services, Costs, Commitment, etc..

31
 A.II.3.2 SLA (Service Level Agreement)
• “Service Level Agreement (SLA) is the amount of time the services
are online, available, and operational.” (Microsoft Definition).
• Example of SLAs :

SLA of a Service Permitted Downtime Per Month

99.90% 43m 28s
99.95% 21m 44s
99.99% 4m 21s
99.999% 26s

32
 A.II.3.2 Composite SLA
• A composite SLA is the overall SLA that results from combining
multiple individual SLAs of different services that support an
application.
• Example : an application that relies on two services, each with its own
SLA:
• Service A: 99.95%
• Service B: 99.99%
• If both services need to be operational for the application to work
(logical AND), the composite SLA would be calculated by multiplying
the individual SLAs: 99.95% * 99.99% = 99.94%

33
 A.II.5. Benefits of Security
• Cloud features support compliance, standards and regulations.
• Depending on your operating model, software patches and updates
may also automatically be applied.
• Cloud providers can handle security threats like DDoS attacks..
• Cloud-based auditing helps flag any resource that’s out of compliance
with your corporate standards and provides mitigation strategies.

34
 A.II.6. Benefits of Governance
• Cloud governance is a set of policies and procedures designed to
ensure that cloud computing services are used securely, efficiently,
and in compliance with organizational standards.
• That governance applies not only to access of resources but also to
how users use those resources.
• For example, you can define policies that prevent users from creating
resources that carry significant costs..
• Advantages :
• Operational Efficiency.
• Risk Management.
• Cost Control.
• Etc..
35
 A.II.7. Benefits of Manageability
• Manageability in the cloud refers to the ease with which cloud-based
resources can be configured, monitored, and managed.
• It's about streamlining operations, reducing manual effort, and
ensuring optimal performance.
• Manageability comes about :
1. Automatically scale up/down resource deployment.
2. Deploy resources based on a preconfigured template, no manual
configuration.
3. Monitor the health of resources and automatically replace failing resources.
4. Receive automatic alerts based on configured metrics, so aware of real-time
performance.
• By using : Azure Portal, CLI, APIs, Powershell.
36
 A.II.8. Other Benefits
• Elasticity : is the ability to shape the resources needed automatically,
to burst and scale to meet any peak in demand, and to return to a
normal operating baseline.
• Agility : means deploying and configuring resources effectively and
efficiently in a short space of time (quickly) to meet any change in
requirements or operational needs.
• Disaster Recovery : is based upon a set of practices or measures to
ensure that, when a system fails, it can be restored to operation by
failing over to a replicated instance in another region.

37
END of Section A

38
Section B : Describe Azure architecture and
services
• Describe the core architectural components of Azure
• Describe Azure compute and networking services
• Describe Azure storage services
• Describe Azure identity, access, and security

39
 Section B.I : Describe the core architectural
components of Azure
• Describe Azure regions, region pairs, and sovereign regions
• Describe availability zones
• Describe Azure datacenters
• Describe Azure resources and resource groups
• Describe subscriptions
• Describe management groups
• Describe the hierarchy of resource groups, subscriptions, and
management groups

40
 B.I.1.1 Azure Regions
• A region is a set of datacenters deployed within a latency-defined
perimeter and connected through a dedicated regional low-latency
network.
• A region has at least one availability zone (AZ), in average 3 AZs.

41
 B.I.1.1 Azure Regions Map
•A

42
 B.I.1.2 Azure Region Pairs
• Region Pairs is a technique to pair two regions (at least) in the same
geography (East & West US) in order to enhance reliability and
disaster recovery and reduce likelihood of both regions being
affected by the same disaster.
• The 2 regions must be at least 300 miles apart (≃ 480,8 KM).

• Azure Region Pairs contain :

• Primary Region : Workloads/data are uploaded and operated.
• Secondary Region : Region for Backup/Recovery site.
• Cross-Region Replication: Auto-Replication for services supporting cross-
region replication to secondary region.
• Failover : Auto-Failover to Secondary Region in case of Primary Region outage.
43
 B.I.1.3. Azure Geographies
• An Azure geography is an area of the world that contains at least one
Azure region.
• Geographies correspond to countries or continents.
• Example: India is a geography, Africa is a geography.
• Note : A geography can gather one or more region pairs.

44
 B.I.1.4 Azure Sovreign Regions
• Designed for governments and entities that require a unique
environment for data protection.
• Sovereign regions include Azure Government in the United States,
Azure China which is operated by 21Vianet, and Azure Germany.
Azure sovereign regions include:
1. An independent network that is separate from the global Azure network,
ensuring data does not flow through the public internet.
2. Compliance certifications that meet the needs of the sovereign host
country.
3. Exclusive access to screened personnel who have passed background
checks pertinent to the region’s requirements.

45
 B.I.1.5. Comparison between Azure Regions types
Azure Region Types Characteristics Examples Compliance Use Case
Global scalability, Standard compliance General-purpose
West Europe, North
Azure Regions redundancy, and certifications, eg. ISO, cloud services,
Europe
network connectivity GDPR commercial entities
Standard compliance
Enhanced reliability
Paired regions within certifications,
and automatic
Azure Regional Pairs the same geography East US with West US Regional level
disaster recovery for
for disaster recovery adherence (data stays
critical applications
in geography)

Country-specific Government entities

Physically and
Azure Government, compliance and critical operations
Azure Sovereign network isolated
Azure China, Azure certifications, eg. requiring the highest
Regions regions, high-level
Germany FedRAMP, Germany’s levels of data isolation
data protection
C5 and compliance

46
 B.I.2. Azure Availability Zones (AZs)
• Availability Zones (AZs) are physically separate locations within an
Azure region.
• Availability Zones allow customers to run mission-critical applications
with high availability and low-latency replication.

47
 B.I.3. Azure Datacenters
• Azure datacenter is a unique physical building that contains
thousands of physical servers with its own power, cooling and
networking infrastructure.
• These datacenters are located all over the globe. (+160 datacenters).
• These dataceneters are organised into Azure Regions.
• Microsoft has its own underwater datacenter (near Orkney Islands in
Scotland) that boosts green energy..

48
 B.I.3. Azure Point-Of-Presence
• Azure Point-Of-Presence locations are strategically placed data
centers that help deliver Azure services with low latency and high
availability (192 POPs).
• These PoPs are part of Azure’s global network infrastructure include
services like Azure Content Delivery Network (CDN) and Azure Front
Door.
• Azure Content Delivery Network (CDN) is a global solution designed
to deliver high-bandwidth content efficiently by caching it at
strategically placed physical nodes around the world.
• Azure Front Door is a modern cloud CDN and global load balancer
designed to optimize the performance, scalability, and security of web
applications.
49
 B.I.4. Azure Edge Zones
• Azure Edge Zones are a type of Azure region that brings Azure services
closer to the edge of the network, enabling low-latency applications and
services.

Common Use Cases for Azure Edge Zones:

• IoT Edge Computing: Process and analyze IoT data at the edge, reducing
network traffic and improving response times.
• Real-Time Analytics: Perform real-time analytics on data generated at the
edge, such as sensor data or video streams.
• Gaming and Media Streaming: Deliver high-quality gaming and media
streaming experiences with low latency and high performance.
• Content Delivery Networks (CDNs): Cache content closer to users,
improving website and application performance.
• Autonomous Systems: Power autonomous systems like drones and robots
with low-latency computing and AI capabilities.
50
 B.I.5. Azure Resources
• An Azure resource is a manageable item through Azure.
• Each resource in Azure is an instance of a service (i.e database
server, a virtual machine, storage accounts, virtual networks, or even a
blob container, ..).
• Examples of Azure Resources:
• Azure Virtual Machines (VMs).
• Azure SQL Database.
• Azure Blob Storage: A service that stores unstructured data.
• ETC..

51
 B.I.6. Azure Resource Groups
• A resource group serves as a container for resources deployed on
Azure.
• It helps manage and organize resources by grouping related
resources that share the same lifecycle, policies, and
permissions.
• When creating a resource group, a region needs to be specified →
where resource group metadata will be stored.
• However, the actual resources in the group can reside in different
regions!!

52
 B.I.6.1 Resource Groups Management Best
Practices

• Naming conventions: Establish clear naming conventions for your

resources and resource groups to make management easier.
• Consistent grouping: Group your resources by lifecycle, managed
together makes it easier to handle them throughout their period of use.
• Tagging: Utilize tags to categorize resources beyond their groupings.
This helps in sorting, filtering, and accounting for billing purposes.

53
 B.I.7. Azure Subscriptions
• Azure subscriptions can be considered the “logical containers” of
Azure resources that share the same “billing” and “access control”
boundaries.
• A subscription enables you to provision resources and gives you
access to Azure services.
• When a user sign up for Azure the first time, he’s asked to create a
subscription and provide credit card details for billing.
• Each subscription is associated with an Azure account, which can
have multiple subscriptions.
• An Azure subscription can be shared between multiple accounts.
• This is managed through Azure Active Directory (Azure AD) and Role-
Based Access Control (RBAC).
54
 B.I.7.1. Azure Subscriptions types
▪ Free Subscription: This involves a free trial period, typically of 30 days
or $200 of credit to spend for the first month.
• Pay-As-You-Go Subscription: Often used by individuals or
companies for production or development purposes. You’re billed
monthly for the services you use.
• Enterprise Agreement (EA) Subscription: Designed for large
organizations that go for a contractual agreement with Microsoft to
use Azure services at discounted rates.
• Student Subscription: Comes with certain free services and is
available for students who can validate their academic status.
55
 B.I.7.2. Azure Subscriptions Management Best
Practices
• Manage costs and billing: You are billed monthly for the services you
use within each subscription. You can also set spending limits and
alerts.
• Group resources for organization and isolation: You can apply
governance conditions, such as roles and policies, at the subscription
level.
• Provide access control: You can define who has access and what level
of access to the Azure resources within the subscription.
• Note : Azure imposes some limits and quotas on the amount of
resources you can deploy and use within each subscription →
These limits can typically be raised by submitting a support request.
56
 B.I.7.3. Azure Subscriptions : Use Cases
• A small business might have a single Pay-As-You-Go subscription for
hosting all their workloads, websites, and databases.
• A large enterprise might have multiple subscriptions to provide isolation
between departments. Each department would manage its own
subscription, but all might roll up to the main Enterprise Agreement.
• A developer could have a separate subscription for testing applications,
separate from the production environment subscription to prevent any
accidental interference.

• Note : It is not uncommon for a business or individual to have multiple

subscriptions!! This could be for billing purposes, organizational reasons,
or compliance.
• Having multiple subscriptions may introduce complexity in management !!
57
 B.I.7.4. Azure Subscriptions Cost
• Azure provides tools such as Azure Cost Management and Billing to
help track and manage your Azure subscription expenditure.
• This includes budgets, alerts, and detailed cost reports.
• In case of multiple subscriptions, Azure Lighthouse and management
groups help providing governance across subscriptions.
• Azure Lighthouse is a powerful service that enables cross-tenant
management of Azure resources, making it easier for service
providers and enterprises to manage multiple Azure environments.
• Before creating a subscription, you can use the Azure Pricing
Calculator to estimate costs based on your projected usage, allowing
for better financial planning and subscription selection.
58
 B.I.8.1. Azure Management Groups
• A management group is a container that helps you manage access,
policy, and compliance for multiple subscriptions.
• You can build a flexible structure of management groups and
subscriptions to organize your resources into a hierarchy → provides a
level of isolation and autonomy while still allowing for centralized
governance.
• This allows the creation of a tree-like structure that can go up to six
levels deep, excluding the Root Management Group.

59
 B.I.8.2. Features and Benefits of Management
Groups
• Hierarchical Management: The tree structure of management groups helps
in organizing subscriptions according to the needs of the business, which
can reflect organizational structures or different projects and environments.
• Access Control: Role-Based Access Control (RBAC) settings can be
applied at the management group level which then cascades down to the
subscriptions within the group. This simplifies access management across
multiple subscriptions.
• Policy Application: Azure policies can be applied at the management group
level, ensuring consistent governance and compliance across all
subscriptions within the group.
• Compliance and Audit: With management group-level application of
policies, you can readily track and enforce compliance standards.
• Cost Management: By grouping subscriptions together, you can aggregate
and manage cloud costs more effectively, providing a clear view of
expenditure across different parts and projects of the organization.
60
 B.I.8.3. Example Hierarchy of Management
Groups and Subscriptions
• Root Management Group
o IT Management Group
▪ US IT Subscriptions
▪ Europe IT Subscriptions
o HR Management Group
▪ US HR Subscriptions
▪ Europe HR Subscriptions
o Marketing Management Group
▪ US Marketing Subscriptions
▪ Europe Marketing Subscriptions

• By setting up this structure, Contoso can apply specific policies and RBAC at each level,
ensuring that all the US IT subscriptions, for example, can inherit the same policies and
have the same role assignments.
61
 B.I.8.4. Best Practices for Using Management
Groups
• Limit Hierarchy Depth: While you can have a hierarchy that is up to six
levels deep, a simpler structure can be easier to manage and troubleshoot.
• Centralize Management: Use the root management group for global
policies and access controls that should apply to all subscriptions in your
tenant.
• Align With Organizational Structures: Management groups should reflect
your organization’s structure, making it easier to map Azure resources to
business units, departments, or geographic regions.
• Naming Convention: Establish clear naming conventions for management
groups to accurately reflect their purpose and simplify administration.
• Continuous Monitoring: Regularly review management group structures,
role assignments, and policy definitions to ensure they are aligned with the
organization’s current requirements.

62
B.I.9. Hierarchy of resource groups,
subscriptions, and management groups

63
 Section B.II : Describe Azure compute and
networking services
• Compare compute types, including containers, virtual machines, and
functions
• Describe virtual machine options, including Azure virtual machines, Azure
Virtual Machine Scale Sets, availability sets, and Azure Virtual Desktop
• Describe the resources required for virtual machines
• Describe application hosting options, including web apps, containers, and
virtual machines
• Describe virtual networking, including the purpose of Azure virtual
networks, Azure virtual subnets, peering, Azure DNS, Azure VPN Gateway,
and ExpressRoute
• Define public and private endpoints
64
 B.II.1.1. Describe Compute types

Compute Type Use Cases Pros Cons

Quick start-up, Cost-
Microservices, Event- Not suitable for stateful
effectiveness for
Container Instances driven tasks, Short-lived applications that require
intermittent tasks,
jobs persistent storage
Portability

Legacy applications, More expensive for short-

Flexibility, Full control over
Virtual Machines Customizable term tasks, Requires more
the OS, Long-running tasks
environments management

High scalability, Pay only Execution time limits, Less

Event-driven architectures,
Functions for usage, Simplified control over the
Microtasks, Scalable APIs
deployment model environment

65
 B.II.2. Azure VM
• Azure Virtual Machines (VMs) provide on-demand, scalable
computing resources with the choice of either Windows or Linux
operating systems.
• VMs can be tailored to a wide range of computing solutions,
including application hosting, development and testing environments,
and extending datacenter infrastructure.

66
 B.II.2.1. Azure VM Gategories
• General purpose (A, B, and D family series): These VMs have a balanced CPU-to-memory ratio. They are best
suited for testing and development (A series only), burstable workloads (B series only), and general-purpose
workloads (D series only).
• Compute optimized (F family series): These VMs have a high CPU-to-memory ratio. They are best suited for
web servers, application servers, network appliances, batch processes, and any workload where bottlenecks
and a lack of resources will typically originate in the CPU over memory.
• Memory optimized (E and M family series): These VMs have a high memory-to-CPU ratio. They are best suited
for relational databases, in-memory analytics, and any workload where bottlenecks and a lack of resources
will typically originate in the memory over the CPU.
• Storage optimized (L family series): These VMs have high disk throughput and I/O. They are best suited for data
analytics, data warehousing, and any workload where bottlenecks and a lack of resources will typically relate
to the disk over the memory and CPU.
• GPU optimized (N family series): These VMs have graphics processing units (GPUs). They are best suited for
compute intensive, graphics-/gaming-intensive, visualization, and video conferencing/streaming workloads.
• High performance (H family series): These are the most powerful CPU VMs that Azure provides, offering high-
speed throughput network interfaces. They are best suited for compute and network workloads such as SAP
HANA.

67
 B.II.2.1. Azure VM Terminology
[Family] + [Sub-Family] + [# of vCPUs] + [Additive Features] + [Version]

• Family: This represents the VM • l: low-memory size.

family series. • m: memory-intensive size.
• Sub-Family: This represents the • s: presence of Premium Storage
capabilities. However, some newer
specialized VM differentiations. VM options without this attribute can
• # of vCPUs: This represents the still support Premium Storage.
number of vCPUs of the VM. • t: tiny-memory size.
• Additive Features examples: • Version: This represents the
• a: indicates AMD-based processor. version of the VM family series.
• d: VM with a local temp disk.
• i: an Isolated size.
68
 B.II.2.2. Azure VM Terminology Examples (1)
• Example 1: M416ms_v2
Value Explanation
Family M
# of vCPUs 416
m = memory intensive
Additive Features
s = Premium Storage capable
Version v2

• Example 2: NV16as_v4
Value Explanation
Family N
Subfamily V
# of vCPUs 16
a = AMD-based processor
Additive Features
s = Premium Storage capable
Version v4 69
 B.II.2.2. Azure VM Terminology Examples (2)
• Example 3: NC4as_T4_v3
Value Explanation
Family N
Subfamily C
# of vCPUs 4
a = AMD-based processor
Additive Features
s = Premium Storage capable
Accelerator Type T4
Version v3

70
 B.II.2.2.1. Availability Sets
• Availability Sets are logical groupings of VMs, in one datacenter, that
reduce the chance of correlated failures happened to VMs at the same
time.
• An Availability Set consists of Fault Domains and Update Domains
(up to 3 fault domains and 20 update domains).

71
 B.II.2.2.2. Fault Domains
• Fault Domain is a logical grouping of Azure resources (VMs) that share
a common power source and network switch.
• Advantage : if one physical hardware platform fails, only the resources
in that fault domain are affected, and the rest of your resources
continue to function normally.

72
 B.II.2.2.3. Update Domains
• Update Domain used to manage software updates and planned
maintenance.
• Advantage : Ensures that only a subset of VMs are updated at the
same time, minimizing downtime.

73
B.II.2.2.4. “Fault Domains” VS “Update Domains”

Feature Fault Domain Update Domain

Software updates
Focus Hardware failures
Isolation Physical Logical
Goal High availability Minimal downtime

74
 B.II.2.3. Azure Virtual Machine Scale Sets
• Azure Virtual Machine Scale Sets let you create and manage a group
of load balanced and identical VMs.
• The number of VM instances can automatically increase or decrease
in response to demand or a defined schedule.
• With scale sets, you can build large-scale services for areas such as
compute, big data, and container workloads.
• Scale sets provide the following key benefits:
• Easy to create and manage multiple VMs.
• Provides high availability and application resiliency by distributing VMs across
availability zones or fault domains.
• Allows your application to automatically scale as resource demand changes.
• Works at large-scale.
75
B.II.2.3. Scale Sets vs Availability Set

Feature Use Case

Single VM Testing, small workloads, single instance applications

Availability Set High availability for multiple VMs

VM Scale Sets Large-scale services, auto-scaling workloads

76
 B.II.2.4. Azure Proximity Placement Group
• A Proximity Placement Group (PPG) in Azure is a logical grouping of
virtual machines (VMs) that are physically located close to each
other within the same datacentre.
• This proximity ensures low-latency communication between the VMs,
making them ideal for applications that require high performance and
low latency.

77
 B.II.2.5. Azure Dedicated Hosts
• Azure Dedicated Hosts provide physical servers to Client, that are
exclusively dedicated to your Azure subscription. (Single-Tenant)
• This means no other customers share the same hardware.
• Advantage : Improved Performance & Security..
• Inconvenient : Higher upfront cost compared to regular VMs.
• Use Case : A company with critical business and restricted by
compliance standards (not be able to share data ..)

78
 B.II.2.6. Azure Virtual Desktop
• Azure Virtual Desktop (PaaS) is a desktop and application
virtualization service that provides access to your desktop and
applications from virtually anywhere and from any device (iOS, MAC,
Linux, Windows).
• Allows remote users to connect from their devices to their hosted
desktops and remote applications in Azure.
• This access is provided securely and reliably from any location with
Internet or over a private managed network such as ExpressRoute
service.

79
 B.II.3. Describe application hosting options
Azure VMs Azure App Service Windows Containers
App is just a clean ASP.NET
Application has strong Application has dependencies
web app (MVC, WebForm) or
When to use dependencies on the server
N-Tier app (Web API, WCf)
which can be included in the
and local .msi installations. Docker Windows image.
accessing a database server.
Familiar environment.
Ongoing PaaS maintenance, Cloud DevOps-Ready with
Deployment environment is a
Pros VM, so it's similar to on-
simplest way to manage and dependencies included in the app's
scale apps in Azure. containers.
premises servers.
Not all apps are supported :
Some apps might need to be Docker's skills learning curve, and
Maintenance is costly. IaaS
Cons environment !
refactored and slightly Some code and app configuration
rearchitected to support settings changes.
Azure App Service.
Docker Engine - Enterprise for
Windows Server VM with the Azure App Service
Windows Server 2019 OR Azure
Requirements same requirements than the requirements specified in
Container Azure Service Fabric
app for on-premises Readiness checks.
orchestrator Service (AKS) OR
Follow the "Modernizing existing
Migrate to Azure Virtual
How to Migrate Machines
Migrate Azure App Service .NET apps with Azure and Windows
Containers" eBook
80
 B.II.4. Azure virtual networking
• Azure virtual networks provide the following networking capabilities:
• Isolation and segmentation
• Internet communications
• Communicate between Azure resources
• Communicate with on-premises resources
• Route network traffic
• Filter network traffic
• Connect virtual networks

81
 B.II.4.1. Azure VNet
• Azure Virtual Networks (VNet) provide an isolated and private
environment within the Azure Cloud.
• VNets allow Azure resources (VMs, Apps, ..) to securely
communicate with each other, with the Internet, with on-premises
networks.
• Azure Virtual Networks can deliver a range of network services :
private IPs allocations, DNS settings, security policies, and routing
to create a network experience similar to that of a traditional network,
but with the scale and flexibility of the cloud.

82
 B.II.4.2. Azure VNet Peering
• Azure VNet Peering is a mechanism that connects two or more
virtual networks in Azure.
• This allows resources in different VNets to communicate directly
with each other, using Azure’s backbone network (without Internet).
• Peering ensures a low-latency, high-bandwidth connection between
resources in different VNets, without the need for a gateway and
without affecting the performance.
• This is particularly useful for complex architectures where resources
in different VNets need secure and fast inter-connectivity.

83
 B.II.4.3. Azure VPN Gateway
• Azure VPN Gateway, acts as a point of connectivity for secure
remote access to Azure VNets.
• It enables you to establish secured cross-premises virtual network
connections, using industry-standard protocols such as IPsec/IKE
and SSL.
• Example : employees working remotely can connect securely to the
corporate Azure VNet over a VPN, allowing them access to corporate
applications and resources as if they were on-premises.
• 3 types of VPN Gateway :
1. Site-to-Site VPN
2. Point-to-Site VPN
3. VNet-to-VNet Connection
84
 B.II.4.3.1. Site-to-Site VPN
• A site-to-site (S2S) VPN gateway connection is a connection over
IPsec/IKE (IKEv1 or IKEv2) VPN tunnel that requires a VPN device
located on-premises that has a public IP address assigned to it
• Site-to-site connections can be used for cross-premises and hybrid
configurations.

85
 B.II.4.3.2. Point-to-Site VPN
• A point-to-site (P2S) VPN gateway connection lets you create a secure
connection to your virtual network from an individual client computer.
• Doesn't require an on-premises public-facing IP address or a VPN
device.

86
 B.II.4.3.3. VNet-to-VNet Connection
• A VNet-to-VNet is similar to connecting a virtual network to an on-
premises site location.
• Both connectivity types use a VPN gateway to provide a secure tunnel
using IPsec/IKE.
• The virtual networks you connect can be:
• in the same or different regions.
• in the same or different subscriptions.
• in the same or different deployment models (private, hybrid, public)

87
 B.II.4.4. Azure ExpressRoute
• Azure ExpressRoute is a service enabling private connections
between Azure datacenters and on-premises infrastructure or
colocation facilities.
• This bypasses the public internet and provides a more reliable, high-
speed, and low-latency connection.
• ExpressRoute is often used by enterprises that require a dedicated
and private connection to their cloud services for critical
applications and data.

88
 B.II.4.5. Azure DNS
• Azure DNS is the service that provides name resolution to Azure
resources.
• It allows to host a DNS domain and manage DNS records for a
domain within Azure.
• This service ensures that user requests are directed to the correct
resources, such as web servers or VMs.

89
B.II.4. Azure virtual networking options

Feature Purpose

Azure Virtual Networks Provides an isolated, private cloud environment for resources

Azure Subnets Segments VNets into more manageable and secure portions

VNet Peering Connects VNets for low-latency, high-bandwidth communication

Azure DNS Manages DNS domains and records for Azure-hosted services

Azure VPN Gateway Secures remote access connections to Azure VNets

Azure ExpressRoute Offers a private, dedicated network connection to Azure

90
 B.II.5. Private endpoints
• Private endpoints provide secure and private access to Azure
services from within Azure VNets.
• Private endpoints make use of Azure Private Link, a service that
enables Azure resources to be accessed via a private IP address
within the VNet.
• Traffic between the VNet and the service travels over the Azure
backbone network, avoiding public internet exposure and reducing
the risk of external attacks.
• Example: An Azure SQL Database with a private endpoint would be
accessible only from within the VNet through a private URL, such as
mysql.database.windows.net, and would not be reachable from the
public internet.
91
 B.II.6. Public endpoints
• Public endpoints are the interfaces through which resources in
Azure can be accessed from the internet.
• When a service, such as an Azure Web App or a storage account, is
configured with a public endpoint, it receives a publicly accessible
URL and can be reached from anywhere on the web.
• Example: A public Azure Blob Storage endpoint might be accessible
through a URL like https://mystorageaccount.blob.core.windows.net.
This public endpoint would allow users and applications to access
blobs stored in this account from anywhere on the internet, assuming
they have the appropriate permissions.

92
 B.II.6. Public vs Private endpoints

Feature Public Endpoint Private Endpoint

Accessibility Accessible from the internet Accessible only within a VNet

Network Isolation Less isolated (publicly reachable) Highly isolated (no direct internet access)
Increased security due to network
Security Potentially open to more attack vectors
isolation

Requires proper DNS configuration and Requires Azure Private Link and VNet
Connectivity
security rules integration

Resolves to private IP addresses within

DNS Resolution Resolves to public IP addresses
the VNet
Sensitive apps, internal databases and
Use Cases Customer-facing apps, public APIs
services
Via Microsoft’s backbone network (no
Traffic Routing Via the public internet
internet travel)
93
 Section B.III : Describe Azure storage services

• Compare Azure Storage services

• Describe storage tiers
• Describe redundancy options
• Describe storage account options and storage types
• Identify options for moving files, including AzCopy, Azure Storage
Explorer, and Azure File Sync
• Describe migration options, including Azure Migrate and Azure Data
Box

94
 B.III.2. Describe storage tiers
Access
Storage Tier Latency Cost Per Storage Cost Per Access Ideal Use Cases
Frequency
Active data, e.g.,
Hot High Lowest High Low databases, web
content
Infrequently
accessed data,
Cool Low Medium Moderate Moderate
e.g., backups,
media (30 days)
Rarely accessed
data for long-term
Archive Very Low Highest Lowest Highest retention, e.g.,
compliance
records (180 days)

95
B.III.2. Describe storage tiers considerations

• Data Access Patterns: Estimate the frequency of access and retrieval

times required. Hot is suitable for frequent, Cool for occasional, and
Archive for rare access.
• Cost Optimization: Analyze the cost differences. While Hot has higher
storage costs, accessing data is cheaper; Cool and Archive have lower
storage costs but higher access fees.
• Data Lifecycle: Data may move between tiers as it ages. Lifecycle
management policies can automate this to optimize costs.
• Compliance: Ensure that the chosen tier aligns with regulatory
requirements for data retention and access times.
96
 B.III.3. Redundancy Options
Redundancy Option Data Replication Durability Use Case

LRS (Locally Redundant 3 copies within a single data Protects against hardware Non-critical data with no
Storage) center failures need for geo-replication

Critical applications
ZRS (Zone-Redundant 3 copies across different AZ Protects against a zonal
needing resilience against a
Storage) in one region outage
data center failure
6 copies (3 in primary region Protects against regional Data necessitates recovery
GRS (Geo-Redundant Storage)
and 3 in secondary) outages from regional disasters

RA-GRS (Read Access Geo- Same as GRS with only Read

Redundant Storage) Access in secondary region Protects against regional Data necessitates recovery
outages from regional disasters

6 copies with zone

GZRS (Geo-Zone-Redundant Protects against zonal and Maximum availability and
redundancy in primary
Storage) regional outages durability for high resilience
region and geo-replication
Same as GRS with only Read
RA-GZRS (Read-Access Geo- Access in secondary region Protects against zonal and Maximum availability and
Zone-Redundant Storage) regional outages durability for high resilience
97
 B.III.3. Additional Redundancy Options
• Azure Site Recovery (ASR) replicates VMs and on-premises workloads
to another Azure region for disaster recovery purposes. This ensures
applications remain available even during major incidents.
• Azure Traffic Manager is a DNS-based load balancer that distributes
traffic across multiple regions. It can direct users to alternative regions if
a region becomes unavailable, thus ensuring continuous availability.
• Availability Sets and Zones.

98
 B.III.4. Describe storage types
6 types exist :
1. BLOB Storage
2. File Storage
3. Disk Storage
4. Queue Storage
5. Table Storage
6. DataLake Storage

99
 B.III.4.1. Blob Storage
• Blob (Binary Large OBject) storage is designed for handling
unstructured data such as documents, images, videos, and log files
• There are three types of blobs:

Blob Type Use Cases Maximum Size

Block blob Streaming, high performance 190.7 TiB

Append blob Logging, append operations 195 GiB per blob

Page blob Azure virtual hard disks (VHD) 8 TiB per blob

100
 B.III.4.2. File Storage
• Azure Files offers fully managed file shares in the cloud, accessible
via SMB protocol.
• This storage is useful for lift-and-shift scenarios where existing on-
premises applications that rely on standard file system capabilities are
moved to Azure.
Feature Description

SMB and NFS Protocols Compatibility with Windows, Linux, and macOS

Mountable Shares Accessible from Azure VMs or on-premises

Snapshots and Backup Integration For data protection and recovery

101
 B.III.4.3. Disk Storage
• Azure Disk Storage provides block-level storage volumes for Azure
VMs.
• There are three performance tiers:

Disk Type Use Case Latency Throughput & IOPS

Up to 160,000 IOPS and

Ultra Disk IO-intensive workloads Sub-millisecond
2,000 MB/s
Up to 20,000 IOPS and
Premium SSD Production workloads Low
900 MB/s
Up to 6,000 IOPS and 750
Standard SSD Web servers, light apps Moderate
MB/s
Up to 500 IOPS and 60
Standard HDD Backup, non-critical High
MB/s

102
 B.III.4.4. Queue Storage
• Queue Storage facilitates communication between application
components, often between web front ends and worker processes,
through messaging queues.

• Common use cases for Azure Queue Storage :

1. Decoupling applications while accommodating asynchronous
communication.
2. Load balancing for sudden, high-volume fluctuations in demand.
3. Parallel processing of workloads.
4. Offloading asynchronous tasks that take a long time to complete.

103
 B.III.4.5. Table Storage
• Table Storage offers a NoSQL key-attribute data store, ideal for user
data, device information, or metadata.

• Common use cases for Azure Table Storage:

1. Centralized storage of logs, telemetry data and monitoring data
2. Storage of catalog and shopping cart data for e-commerce applications
3. Scalable task scheduling and metadata storage
4. Storage of sensory data and IoT telemetry data

104
 B.III.4.6. Data Lake Storage
• Azure Data Lake Storage (ADLS) is a highly scalable, central
repository where you can store and analyze large volumes of both
structured and unstructured data.
• It is designed to handle big data workloads that require high-
throughput and low-latency data access.
• Data scientists can store the datasets they need for building and
training machine learning models.
• Common use cases for Azure Data Lake Storage:
1. Data Warehousing.
2. Reporting
3. Data Analysis

105
B.III.4.7. Azure Storage services

Feature/Service Blob Storage File Storage Queue Storage Table Storage

Semi-structured
Data Structure Unstructured Files Messages
(NoSQL)

Access HTTP/HTTPS SMB, REST API REST API REST API

Scalability Extremely high Highly scalable High High

Shared file system,

Non-relational data
Use Cases Object storage lift-and-shift Messaging service
storage
scenarios

106
 B.III.5. Describe storage account options
Type of storage Supported storage
Redundancy options Usage
account services
Locally redundant storage (LRS) / geo-
redundant storage (GRS) / read-access Standard storage account type for blobs, file
Blob Storage (including Data
geo-redundant storage (RA-GRS) / shares, queues, and tables. Recommended for
Standard general- Lake Storage), Queue
Zone-redundant storage (ZRS) / geo- most scenarios using Azure Storage. If you want
purpose v2 Storage, Table Storage, and
zone-redundant storage (GZRS) / read- support for network file system (NFS) in Azure
Azure Files
access geo-zone-redundant storage Files, use the premium file shares account type.
(RA-GZRS)
Premium storage account type for block blobs
and append blobs. Recommended for scenarios
Blob Storage (including Data
Premium block blobs Lake Storage)
LRS / ZRS with high transaction rates or that use smaller
objects or require consistently low storage
latency.
Premium storage account type for file shares
only. Recommended for enterprise or high-
performance scale applications. Use this
Premium file shares Azure Files LRS / ZRS
account type if you want a storage account that
supports both Server Message Block (SMB) and
NFS file shares.
Premium storage account type for page blobs
Premium page blobs Page blobs only LRS / ZRS
only.
107
 B.III.6. Options for moving files
3 types exist :
1. AzCopy
2. Azure Storage Explorer
3. Azure File Sync

108
 B.III.6.1. AzCopy
• AzCopy is a CLI tool to copy data to and from Azure storage services such as Blob, File,
and Table storage. It is optimized for performance and can handle large volumes of data
and high throughput.
Use Cases:
• Migrating data to Azure from on-premises.
• Transferring files between Azure storage accounts.
• Backing up Azure storage data.
Features:
• Supports concurrent uploads and downloads.
• Can resume incompleted transfers.
• Provides options for syncing data.
• Allows access control with Azure Active Directory.
Example:
• To transfer files from an on-premises file system to an Azure Blob storage container, :
AzCopy cp "C:\local\path" "https://[destination_account].blob.core.windows.net/[container]/[path]/"
--recursive
109
 B.III.6.2. Azure Storage Explorer
• Azure Storage Explorer is a GUI tool that manages Azure storage data from
Windows, macOS, or Linux. We can easily upload, download, and manage
blobs, files, queues, tables, and Cosmos DB entities.
Use Cases:
• Exploring and managing data across different Azure subscriptions.
• Editing and debugging data for development and testing.
Features:
• Connect to and manage multiple accounts and subscriptions.
• View and edit Azure storage resources.
• Perform data management operations like create, delete, and configure
settings.
• Includes a built-in editor for updating Azure blobs and files.
110
 B.III.6.3. Azure File Sync (1)
• Azure File Sync is a service that allows syncing on-premises Windows Server files
with Azure Files.
• This enables centralizing file services in Azure while maintaining compatibility and
performance levels of on-premises file servers.
Use Cases:
• Centralized file sharing across global locations.
• Keeping a single source of truth in Azure while having local cache for performance.
• Integrating with Azure backup and Azure Site Recovery for disaster recovery
scenarios.
Features:
• Multi-site synchronization to keep data in sync across multiple servers.
• Cloud tiering to store only recently accessed files on local servers.
• Integrated backup and rapid disaster recovery capabilities.
• Seamless integration with existing Windows File Server and Azure Files.
111
 B.III.6.3. Azure File Sync (2)
How to use it ? (Mandatory Steps)
1. Deploy a Storage Sync Service.
2. Creating a sync group and Cloud endpoint on Azure.
3. Install Azure File Sync agent on Windows Server.
4. Start syncing the specified local directories to Azure Files.

112
B.III.6.2. Comparison between Options for
moving files
Feature/Capability AzCopy Azure Storage Explorer Azure File Sync

Interface Command-line GUI Windows Server Service

Use Cases Bulk data transfer Data management Data synchronization

Data Sources Storage Accounts Multiple Azure Services Windows Server

OS Support Windows, macOS, Linux Windows, macOS, Linux Windows Server

Data Transfer Optimized for speed Interactive operation Continuous sync

Offline Access Not applicable Not necessarily Yes (local cache)

Sync capabilities One-off/Repeated Sync Not by default Real-time sync

113
 B.III.8.1. Describe migration options
• Microsoft provides several migration tools, two are mostly used :
1. Azure Migrate.
2. Azure Data Box.

114
 B.III.8.1.1. Azure Migrate
• Azure Migrate is a service that is designed to simplify, guide, and
automate the migration process. Its primary features include:
• Assessment Tools: to evaluate your on-premises workloads for migration to
Azure. The service provides insights into readiness and offers guidance on how
to right-size resources and optimize costs.
• Migration Tools: Azure Migrate orchestrates and manages the actual migration
of workloads (servers, databases, web apps, and virtual desktops).
• Integration with other services: Azure Migrate works well with other Azure
services like Azure Site Recovery and Azure Database Migration Service,
providing a comprehensive migration solution.

115
 B.III.8.1.1. Azure Data Box
• Azure Data Box is a different type of migration service that is primarily
meant to transfer large amounts of data to Azure.
• This is an ideal solution for scenarios where network conditions
prevent efficient data transfer over the internet.
• Azure Data Box options include:
• Data Box Disk: A set of SSD disks with a total capacity of up to 35 TB that can
be easily handled and shipped.
• Data Box: A rugged device capable of storing up to 100 TB of data. It’s suitable
for transferring data from several servers or a data center.
• Data Box Heavy: The high-capacity version of Data Box, designed for very large
datacenter migrations, which can handle up to 1 PB of data.

116
 B.III.8.2. Comparison between migration options

Feature / Use Case Azure Migrate Azure Data Box

Assessing and migrating workloads to Physically transporting large datasets
Main Purpose
Azure to Azure
Migration Type Online migration via network Offline data transfer
Designed for large to very large datasets
Data Volume Suitable for smaller to large datasets
(TBs to PBs)
Limited to no internet connectivity
Connectedness Requires internet connectivity
needed

Virtual machines, databases, Data-intensive migrations like media

Recommended for
applications files, backups, archives

Azure Site Recovery, Azure Database Azure Import/Export service for smaller
Complementary Services
Migration Service data loads

Not network-restricted; depends on

Performance Depends on internet bandwidth
shipping 117
 Section B.IV : Describe Azure identity, access,
and security
• Describe directory services in Azure, including Microsoft Entra ID and
Microsoft Entra Domain Services
• Describe authentication methods in Azure, including single sign-on (SSO),
multi-factor authentication (MFA), and passwordless
• Describe external identities in Azure, including business-to-business (B2B)
and business-to-customer (B2C)
• Describe Microsoft Entra Conditional Access
• Describe Azure role-based access control (RBAC)
• Describe the concept of Zero Trust
• Describe the purpose of the defense-in-depth model
• Describe the purpose of Microsoft Defender for Cloud
118
 B.IV.1.1. Microsoft Entra ID
• Microsoft Entra ID, (formerly known as Azure Active Directory
(Azure AD)), is an identity and access management solution from
Microsoft that helps organizations secure and manage identities in
cloud and on-premises environments.

119
 B.IV.1.1. Microsoft Entra Domain Services
• Microsoft Entra Domain Services (formerly known as Azure Active
Directory Domain Services or AAD DS) is a cloud-based managed
domain service, provides traditional domain services like
domain join, Group Policy, LDAP, and Kerberos/NTLM
authentication.
• This allows you to use these domain services without having to
deploy, manage, and patch domain controllers.

120
 B.IV.1.2. Comparison between directory services
options in Azure
Feature Microsoft Entra ID Microsoft Entra Domain Services

Sign-on protocol support SAML, OAuth, OpenID Connect LDAP, Kerberos, NTLM

Integration with on-premises AD Azure AD Connect Direct synchronization with Azure AD

Management overhead Low (fully managed service) Low (fully managed domain services)

Suitable for SaaS applications Yes No (designed for legacy applications)

Group policy No Yes

Traditional domain join No Yes

Free tier available, pay-for-use premium
Cost Pay-for-use based on resource usage
tiers
Legacy applications requiring Windows
Use case Modern cloud applications, Office 365
AD features
121
 B.IV.2.1. Describe authentication methods in
Azure
• Single Sign-On (SSO) allows users to authenticate once and gain
access to multiple applications (Office365, Dynamics365, Entra ID,
etc..) without the need to log in to each one separately.
• Multifactor Authentication (MFA) adds an extra layer of security by
requiring two or more verification methods to authenticate a user, (i.e :
fingerprint, SMS, Authenticator app, etc..).
• Passwordless methods provide a way for users to authenticate
without using passwords. Azure supports various passwordless
methods : Windows Hello, Microsoft Authenticator app, FIDO2
security keys, and SMS or Email codes.

122
 B.IV.2.2. Comparison between authentication
methods in Azure
Multifactor Passwordless
Feature Single Sign-On (SSO)
Authentication (MFA) Authentication
Enhancing security with
Primary Goal Convenience and productivity Security and user experience
additional verification

Medium (extra step required High (no passwords to

Usability High (once authenticated)
for verification) remember)

Very High (reduces

Good (reduces password Very High (eliminates risk of
Security vulnerability to password
fatigue) stolen passwords)
threats)
Typical Authenticator apps, phone Windows Hello, security
Azure AD, federated services
Implementations calls, text messages keys, Authenticator app

Dependency on Uses passwords as one of the Eliminates the use of

Uses passwords initially
Passwords factors passwords

Organizations with multiple Organizations requiring high Organizations with advanced

Best for
cloud services security security needs 123
 B.IV.3. External identities in Azure
• External identities in Azure refer to individuals who are not directly part
of your organization’s Azure Active Directory (Azure AD) but need
access to your organization’s resources.
• These external users can include partners, suppliers, customers, or
consultants.
• 2 forms exist :
• B2B Collaboration.
• B2C Collaboration.

124
 B.IV.3.1. B2B Collaboration
• External users can access your corporate resources by either being directly invited or by
using their own credentials from another identity provider such as Google, Facebook, or
another Azure AD.
• This service allows guests to be authenticated without the need for a Microsoft Account or
other pre-existing credentials.
• When a guest is added to your Azure AD, a new guest user account is created. This
account provides access to resources in a similar manner to how internal users are
granted access, but with the ability to apply specific policies tailored for external users.
Here are some key features of Azure AD B2B Collaboration:
• Invitation Process: Internal users or administrators can invite guests through email.
• Authentication: External users authenticate using their own credentials, with optional
multi-factor authentication.
• Conditional Access Policies: Specify conditions for guest access, including locations,
device compliance, or risk-based conditions.
• Auditing and Reporting: Track guest user sign-ins and activities within the Azure AD
portal.

125
 B.IV.3.2. B2C Collaboration
• External Azure B2C is a comprehensive identity management service for consumer-facing applications.
• It is different from B2B because it’s focused on applications with external customers rather than collaboration
with external business users.
Azure B2C features include:
• Custom User Experience: Fully customizable user interfaces for sign-up, sign-in, and profile management.
• Identity Providers: Allow users to log in with their preferred social accounts or custom identity providers.
• Advanced Policies: Control how users interact with your applications, including password complexity, sign-in,
and sign-up flows.
Guest Access Examples:
• 1. Collaborating with a Supplier: You might need to collaborate with a supplier who requires access to a
portion of your Azure portal for uploading documentation or monitoring supply chain analytics. Using Azure AD
B2B, you can invite a user from the supplier to access the specific Azure resources.
• 2. Customer Access to a Web App: Using Azure AD B2C, you can allow customers to sign up for your web
application using their existing social accounts or personal emails. This provides a seamless experience for
them and leverages Azure’s secure authentication mechanisms for your app.

126
 B.IV.3.2. B2C vs B2B Collaboration
Feature/Aspect Azure B2B Collaboration Azure B2C
Consumers, end-users of
Primary Users Business partners, suppliers
applications
Corporate credentials, Google, Social accounts, custom identity
Identity Providers
Facebook providers
Extensive UI customization, user
Customization Limited
flows
User Sign-up By invitation only Open sign-up
User and admin-defined security
Security Conditional Access, MFA
policies
Use Case Secure collaboration Consumer apps with user accounts
Access to consumer-facing
Access to Resources Access to organizational resources
applications
127
 B.IV.4.1. Microsoft Conditional Access
• Microsoft Conditional Access enables organizations to enforce policies that can adapt to
the context of a user’s sign-in, and ensure that access is granted only under the
conditions that the organization specifies.
• Azure Conditional Access enforces decisions like allow/block or require additional
verification for users attempting to access resources.
• These decisions are based on specific conditions, such as user role, location, device
state, applications being accessed, and whether the user’s risk level is acceptable.

Key Components of Azure AD Conditional Access

• Users and Groups: The subjects of the policy, which can be individual users or groups.
• Conditions: The criteria that Azure AD evaluates during an access attempt. This includes
sign-in risk, device platform, location, client apps, and device state.
• Controls: The actions that will be taken if the conditions are met. This includes granting
access, requiring multi-factor authentication, requiring device compliance, and more.
• Decisions: The final outcome of the policy evaluation, which could be block access or
grant access with or without further conditions.
128
 B.IV.4.2. Microsoft Entra Conditional Access
• Azure Conditional Access takes signals from various sources into
account when making access decisions.

129
 B.IV.5.1. Describe Azure role-based access
control (RBAC)
• Azure Role-Based Access Control (RBAC) is an authorization system built on
Azure Resource Manager that provides fine-grained access management of
Azure resources.
Key Concepts and Definitions
• Role Definition: collection of permissions : read, write, delete, etc.
• Role Assignment: This is the process of binding a role to a user, group, service
principal, or managed identity at a specific scope for the purpose of granting
access.
• Scope: The set of resources that the access applies at the level of a management
group, subscription, resource group, or a single resource.

• RBAC works as follows :

• Associate roles with the permissions required to perform various actions on Azure resources.
• When a role is assigned to a user, a group, a service principal, or managed identity for Azure
resources,
• Entity receives those permissions.
130
 B.IV.5.2. RBAC Built-in Roles
• Owner: Has full access to all resources including the right to delegate
access to others.
• Contributor: Can create and manage all types of Azure resources but
can’t grant access to others.
• Reader: Can view existing Azure resources.
• User Access Administrator: Can manage user access to Azure
resources.

131
 B.IV.5.3. RBAC Examples of Use
Example 1.
• If a user needs to manage virtual machines in a subscription but
should not have access to manage the storage or network
components → the ‘Virtual Machine Contributor’ role could be
assigned to them.
Example 2.
• If a security engineer needs to view security policies and audit data but
should not have the ability to alter the security settings or deployments
→ the ‘Security Reader’ role can be assigned.

132
 B.IV.5.4. Tracking and Auditing RBAC
• Azure provides logs and reports that track role assignments and
changes to them.
• These logs are available through Azure Activity Log, and they are
crucial for maintaining the security and compliance of your Azure
environment.
• When a role assignment is added or removed, an entry is created in the
Activity Log. This entry contains information such as:
➢ What operation was performed ?
➢ Which resources were impacted ?
➢ Who performed the operation ?
➢ When the operation occurred ?

133
 B.IV.5.5. RBAC Best Practices
1. Adhere to the principle of least privilege by giving users the
minimum levels of access they need.
2. Use groups for easier management : assign roles to a group rather
than individual users where possible.
3. Regularly audit access and roles through the Azure Portal or Azure
PowerShell/CLI.

134
 B.IV.5.6. RBAC vs Other Technologies
• Azure RBAC should not be confused with Azure Active Directory (AD)
roles, which manage user roles at the directory level and not at the
subscription or resource levels. Also, Azure RBAC is different from
network-level controls, like Network Security Groups (NSGs) and
Application Security Groups (ASGs), which manage traffic flow to and
from Azure resources.

135
 B.IV.6.1. Concept of Zero Trust
• Zero Trust is an innovative security concept and framework that
emphasizes the belief that organizations should not automatically
trust anything inside or outside their perimeters.
• Instead, they must verify anything and everything trying to connect to
its systems before granting access.
• This approach is particularly relevant in a cloud computing
environment like Microsoft Azure, where resources are not constrained
to a single physical location or bounded by a traditional network
perimeter.

136
 B.IV.6.2. Principles of Zero Trust
• Verify Explicitly: Every access request should be thoroughly
inspected against an adaptive access policy that includes a variety of
user, device, location, and service data.
• Use Least Privilege Access: Users should be given the least amount
of access necessary to perform their tasks.
• Assume Breach: Organizations should operate under the assumption
that a breach has either already occurred or is inevitable, and thus
always be prepared to identify and thwart ongoing attacks.

137
 B.IV.6.3. How to Apply Zero Trust with Azure
• Entra ID : offers identity and access management services, enabling
administrators to set up multi-factor authentication, conditional
access policies, and identity protection mechanisms that support the
Zero Trust model.
• Azure Policy and Azure Blueprints help govern resources through
organizational standards and assess compliance against them, which
are critical for Zero Trust architectures.
• Azure Network Security Groups and Application Security Groups
enable fine-grained network access control, ensuring that only
approved traffic can access specific resources, following the principle
of least privilege.

138
 B.IV.6.4. Zero Trust vs Traditional Security
approch
Criteria Traditional Security Model Zero Trust Model

Trust Assumption Trusts insiders, distrusts outsiders Trusts no one, verifies everyone

Access Control Paradigm Broad, network-based Fine-grained, identity-based

Continuously, for every access

Verification Frequency At perimeter entry
request

Protect data and resources

Security Focus Defend the boundary
anywhere

Response to Compromise Detect and react Proactively reduce attack surface

139
 B.IV.7.1. Describe the purpose of the defense-in-
depth model
• Defense-in-depth model is an approach to cybersecurity in which a
series of defensive mechanisms are layered at various points
throughout an information technology (IT) system to protect valuable
data and information from unauthorized access or exploitation by
ensuring that should one mechanism fail, another will subsequently
prevent a breach.
• The defense in depth model is built upon the principle of creating
multiple layers of security controls and barriers throughout an IT
infrastructure.

140
 B.IV.7.2. Defense-in-depth model layers
1. Physical security : controls physical access to hardware and facilities.
2. Network security : Protecting the network with firewalls, network
segmentation, and secure communication protocols.
3. Endpoint security : Securing devices like workstations, servers, and mobile
devices.
4. Application security : Protecting applications with secure coding practices,
application firewalls, and patch management.
5. Data security : Encrypting data, both at rest and in transit, and
implementing access controls.
6. Identity and access management (IAM) : Ensuring only authorized users
have access to certain data or systems through proper authentication and
authorization.
7. Operational security : Implementing security policies, conducting security
training, and carrying out regular security audits.
141
B.IV.7.3. Defense-in-depth Architecture in Azure

142
B.IV.7.4. Defense-in-depth and Azure Services

Security Layer Azure Services

Physical security Azure Data Center operations

Network security Azure Firewall, Network Security Groups

Endpoint security Azure Security Center (ASC)

Application security Azure Application Gateway WAF

Data security Azure Key Vault, Azure Information Protection

Identity & access Azure Active Directory

Operational security Azure Policy, Azure Monitor

143
 B.IV.8.1. Microsoft Defender for Cloud
• Microsoft Defender for Cloud (formerly Azure Security Center) is a
cloud-native application protection platform (CNAPP) that is made
up of security measures and practices that are designed to protect
cloud-based applications from various cyber threats and
vulnerabilities.
• It offers many purposes :
a. Security Posture Management.
b. Advanced Threat Protection.
c. Cloud Workload Protection
d. Regulatory Compliance
e. Integrated Security Solutions

144
B.IV.8.2. Microsoft Defender for Cloud Capabilities
• Defender for Cloud combines the capabilities of:
• A development security operations (DevSecOps) solution that unifies
security management at the code level across multicloud and multiple-
pipeline environments.
• A cloud security posture management (CSPM) solution that surfaces actions
that you can take to prevent breaches
• A cloud workload protection platform (CWPP) with specific protections for
servers, containers, storage, databases, and other workloads.

145
B.IV.8.2. Microsoft Defender for Cloud vs
Traditional Security Management

Feature Traditional Security Management Microsoft Defender for Cloud

Continuous, automated
Security Posture Assessment Manual assessments
assessments
Proactive and adaptive threat
Threat Protection Reactive defenses
protection
Unified protection across multiple
Workload Protection Specific to each workload
workloads
Compliance management can be
Regulatory Compliance Streamlined insights and guidance
complex
Centralized, integrated security
Security Solution Integration Often siloed solutions
management

146
B.IV.8.2. Microsoft Sentinel
• Microsoft Sentinel is Microsoft’s cloud-based SIEM (Security information and event
management) and Security Orchestration, Automation, and Response (SOAR) tool.
• It provides security data aggregation, threat analysis, and response across public cloud and
on-premises environments.

147
END of Section B

148
 Section C : Describe Azure management and
governance
• Describe cost management in Azure
• Describe features and tools in Azure for governance and
compliance
• Describe features and tools for managing and deploying Azure
resources
• Describe monitoring tools in Azure

149
 Section C.I : Describe cost management in
Azure
• Describe factors that can affect costs in Azure
• Compare the pricing calculator and the Total Cost of Ownership (TCO)
Calculator
• Describe cost management capabilities in Azure
• Describe the purpose of tags

150
 C.I.1. Factors that can affect costs in Azure
1. Resource Types and Size
2. Region : services prices may vary based on chosen region.
3. Pricing Tiers : Basic tier has different performance and cost
characteristics compared to the Premium tier for an Azure SQL Database.
4. Reserved Instances : A 3-year reservation for a D2sv3 VM can be
significantly cheaper than the hourly rate over the same period.
5. Resource Utilization : Azure Function App is billed based on the
number of executions and the execution time.
6. Storage and Data Transfer.
7. Support Plans and SLAs.
8. Software Licensing.
9. Hybrid Benefits.
10. Add-ons and Extras : like additional IPs, monitoring tools, or network
appliances.
151
 C.I.2.1. TCO Calculator
• Total Cost of Ownership (TCO) Calculator is designed to provide a
holistic view of the financial impact of deploying services on Azure
compared to on-premises environments.
• It takes into account not only the direct costs of services but also
indirect costs such as maintenance, electricity, network
infrastructure, and the potential savings from operational efficiency.
• TCO = ∑ (direct + indirect) costs.

152
 C.I.2.2. Pricing Calculator
• Pricing Calculator is a tool to estimate the cost of Azure products and
services based on their specific requirements and usage predictions.
• With the Pricing Calculator, users can select different Azure
resources, configure options such as region, tier, and support plan,
and receive an immediate estimate of the monthly cost.

153
C.I.3. Cost management capabilities in Azure (1)
• Cost Analysis: is a tool for ad-hoc cost exploration. Get quick answers
with lightweight insights and analytics. It provides detailed daily and
monthly breakdowns of expenditures.
• Budgets: Azure Cost Management allows users to set up and manage
budgets to ensure they do not exceed their spending thresholds. You
can set budgets for different scopes—such as subscription, resource
group, or service—that trigger alerts when the spend approaches or
exceeds the specified amount.
• Recommendations: Azure Advisor integrates with Cost Management,
offering personalized recommendations for optimizing your Azure
resources. It provides suggestions like resizing or shutting down
underutilized virtual machines, which can help reduce costs.
154
C.I.3. Cost management capabilities in Azure (2)
• Cost Allocation: Tagging resources lets you allocate costs according
to teams, projects, or environments. By applying tags, you can
categorize and track spending more effectively, aiding in chargeback
and showback scenarios within organizations.
• Exports: Azure Cost Management allows for the exporting of cost data
for further analysis. You can export data to either Azure Storage for
archiving or to Azure Event Hubs for streaming to external systems,
enabling integration with third-party systems and deeper data analysis.
• Billing Account Management: With Azure Cost Management and
Billing, users can also manage billing accounts, billing profiles, and
invoices. Large organizations with multiple subscriptions can organize
and oversee all their billing data in one place.
155
 C.I.4. Purpose of Tags in Azure
• Tags in Azure are key-value pairs that can be attached to Azure
resources, example : “Compliance:GDPR”
• The purposes of Tags :
1. Resource Organization.
2. Cost Management and Reporting.
3. Automation.
4. Security and Compliance
• Tags have limitations in Azure:
a) Limited number of tags per resource or resource group.
b) Tag names are case-insensitive, but values are case-sensitive.
c) Not all resource types support tags.

156
 Section C.II : Describe features and tools in
Azure for governance and compliance
• Describe the purpose of Microsoft Purview in Azure
• Describe the purpose of Azure Policy
• Describe the purpose of resource locks

157
 C.II.1. Microsoft Purview in Azure
• Microsoft Purview is a comprehensive data governance and
information management solution that helps organizations gain
visibility, control, and insight into their data assets.
• It provides a unified platform for discovering, classifying,
protecting, and optimizing data across various sources, including on-
premises, cloud, and SaaS environments.

158
 C.II.2.1. Azure Blueprints
• Azure Blueprints is a service within Microsoft Azure that enables
customers to define a repeatable set of Azure resources that
implement and adhere to an organization’s standards, patterns, and
requirements.
• Azure Blueprints simplifies the process of setting up governed
environments across your Azure subscriptions.
• It helps with the setup of Azure services, security policies, and
regulatory compliance requirements, thereby ensuring that each
deployment remains consistent.

159
 C.II.2.2. Azure Blueprints Capabilities
• Consistency and Repeatability : creates templates for different Azure
deployments.
• Compliance and Standards : ensures that compliance and regulatory
requirements are met automatically during deployment through Azure
RBAC or Policy.
• Governance : Azure Blueprints integrates with Azure’s governance
capabilities to ensure controlled deployments.
• Automation : Azure Blueprints automates the process of provisioning
resources with the correct configuration and correct policy
assignments.

160
 C.II.2.3. Azure Blueprints Components
• Azure Blueprints consists of various artifacts that define what will be
included in the blueprint definition:
1. Resource Groups: Template for the resource group container that
will hold the deployed resources.
2. ARM Templates: Azure Resource Manager (ARM) templates for
deploying complex services such as a virtual network or an
application gateway.
3. Policy Assignments: Specific Azure Policy assignments that enforce
different rules on the resources.
4. Role Assignments: Definitions of role-based access controls that
control who can access the resources and services.
161
 C.II.2.4. Azure Blueprint vs Microsoft Purview

Feature Microsoft Purview Azure Blueprints

Primary Focus Data Governance and Management Infrastructure as Code and Policy Enforcement

Scope Data Assets Azure Resources

Discover, classify, protect, and Define and enforce standards for Azure
Actions optimize data deployments

Data Engineers, Data Scientists, Data Cloud Architects, DevOps Engineers, Security
Target Audience Analysts Administrators

162
 C.II.3. Azure Blueprint vs Other Azure Services

Feature Azure Blueprints ARM Templates Azure Resource Manager

Repeatable deployments Yes Yes Yes

Governance integration Yes No Yes

Compliance
Yes No No
management

Resource provisioning Yes Yes Yes

Built-in Policy Yes No Yes (must be assigned)

Management at scale Yes No Yes

163
 C.II.4.1. Azure Policy
• Azure Policy is a service to enforce and validate organizational
standards and to assess compliance at scale.
• With Azure Policy, you can create, assign and, manage policy
definitions to enforce rules for your resources, so those resources
remain compliant with your corporate standards and service level
agreements.
• Azure Policy does this by evaluating your resources for non-
compliance with assigned policy definitions.
• One of the primary purposes of Azure Policy is to ensure that
resources within your Azure environment align with your
organization’s compliance requirements and security best
practices.
164
 C.II.4.2. Azure Policy Features
• Compliance Assessment: Continuously keeps track of your
compliance status and reports any existing non-compliance issues.
• Remediation: In the case of non-compliant resources, you can
perform remediation tasks.
• Resource Optimization: Prevents resources from being deployed that
do not adhere to your organization’s cost or size requirements.
• Security Enhancement: Enforces security best practices by
restricting how resources can be configured.
• Audit: Tracks and captures the state of your resources to aid in
auditing and regulatory compliance.

165
 C.II.4.2. Azure Policy Benefits
Benefits Description

Automatically apply and enforce rules for your Azure environments

Automated Governance
without manual intervention.

Avoid unnecessary costs by preventing non-compliant resource

Cost Management
deployments that may be larger or more expensive than needed.

Improve security posture by ensuring only compliant resources are

Security Assurance
running and reducing the potential for misconfiguration or breach.

Simplify and standardize the setup and deployment of resources,

Operational Efficiency
making management and monitoring more straightforward.

166
 C.II.5.1. Resource Locks
• Resource locks are a mechanism to provide an additional layer of
protection to Azure resources to prevent accidental modification or
deletion.
• The primary purpose of resource locks is to ensure that critical
components remain unchanged and that their lifecycle is managed
in a controlled way.

167
 C.II.5.2. Resource Locks Types
There are two types of resource locks in Azure:
• Read-Only: The Read-Only lock allows users to read a resource but
not modify or delete it.
• Delete: The Delete lock allows all operations except delete. Users can
still read and modify a resource, but they cannot delete it. This type of
lock is useful for ensuring that key resources are not accidentally
removed.

168
 C.II.5.3. Resource Locks Benefits Levels
• Subscription Level: Applying a Delete lock at the subscription level
could be a safeguard against the potential deletion of any resource
within that subscription. This might be suitable for an enterprise-level
subscription with numerous critical services.
• Resource Group Level: If you have a resource group that contains all
the resources for a specific application, you might apply a Read-Only
lock during a critical operation to prevent any modifications that could
affect the operation.
• Resource Level: On an individual resource such as a VM, you could
apply a Delete lock, ensuring that the VM cannot be deleted during an
automated cleanup process that mistakenly targets vital infrastructure.

169
 Section C.III : Describe features and tools for
managing and deploying Azure resources
• Describe the Azure portal
• Describe Azure Cloud Shell, including Azure Command-Line Interface
(CLI) and Azure PowerShell
• Describe the purpose of Azure Arc
• Describe infrastructure as code (IaC)
• Describe Azure Resource Manager (ARM) and ARM templates

170
 C.III.1. Describe the Azure portal
• Azure Portal is a web-based, unified console that provides a rich
graphical user interface (GUI) for managing Azure resources.

• Features of the Azure Portal :

• Centralized Management.
• Dashboard Customization.
• Integrated Tools : PowerShell, CLI, CloudShell, ..
• Access Control and Security.
• Monitoring and Diagnostics.
• Marketplace.

171
C.III.2.1. Azure Cloud Shell, Azure CLI , Azure
PowerShell, Azure Portal
Feature Azure Portal Azure CLI Azure PowerShell Azure CloudShell
Graphical user Command-line
Interface Command-line interface (CLI) Command-line interface (CLI)
interface (GUI) interface (CLI)

Limited, mainly
Scripting Support Full scripting capabilities Full scripting capabilities Quick tasks
through Cloud Shell

Resource Through menus and Through Azure resource Through Powershell resource Through CloudShell
Navigation search bar commands commands scripts

Supports Azure
Well-suited for automation Well-suited for automation Well-suited for non-
Automation Resource Manager
scripts scripts repetitive tasks
templates

Requires installation or Cloud Prebuilt with Azure

Accessible from any Requires installation or Cloud
Accessibility Shell usage, Used from MACos, Portal (OR should be
web browser Shell usage
Linux, Windows installed)
172
C.III.2.2. Azure CLI vs Azure PowerShell

Feature Azure CLI Azure PowerShell

Platform Cross-platform Primarily Windows

Syntax Concise, command-line based Verbose, object-oriented

Powerful for complex

Scripting and Automation Strong support for scripting languages automation

Target User Developers, DevOps engineers Windows administrators

173
 C.III.3. Describe the purpose of Azure Arc
• Azure Arc is a hybrid and multi-cloud management solution that
extends Azure's capabilities to manage resources across various
environments : on-premises, edge, and other cloud providers.
• Key Features of Azure Arc:
• Server Management: Manage physical and virtual servers, regardless of their
location.
• Kubernetes Management: Deploy and manage Kubernetes clusters on any
infrastructure.
• Data Services: Deploy and manage Azure data services, such as SQL Server
and PostgreSQL, on any infrastructure.
• Policy and Compliance: Enforce consistent policies and compliance
standards across your hybrid environment.
• Security: Protect your resources with Azure security features, such as
vulnerability assessments and threat protection.
174
 C.III.3.1. Azure Arc
• Azure Arc is a hybrid and multi-cloud management solution that
extends Azure's capabilities to manage resources across various
environments : on-premises, edge, and other cloud providers.
• Key Features of Azure Arc:
• Server Management: Manage physical and virtual servers, regardless of their
location.
• Kubernetes Management: Deploy and manage Kubernetes clusters on any
infrastructure.
• Data Services: Deploy and manage Azure data services, such as SQL Server
and PostgreSQL, on any infrastructure.
• Policy and Compliance: Enforce consistent policies and compliance
standards across your hybrid environment.
• Security: Protect your resources with Azure security features, such as
vulnerability assessments and threat protection.
175
C.III.3.2. Azure Arc Architecture

176
 C.III.4. Infrastructure as code (IaC)
• Infrastructure as Code (IaC) is a practice of managing and provisioning
infrastructure through Code rather than manual processes.
• This approach treats infrastructure as software, allowing you to define,
deploy, and manage infrastructure components using code and version
control.
• Key Benefits of IaC:
• Consistency: Ensures consistent infrastructure configurations across different
environments.
• Efficiency: Automates infrastructure provisioning and management, reducing manual
effort and errors.
• Speed: Accelerates deployment and configuration processes.
• Scalability: Easily scales infrastructure up or down to meet changing demands.
• Reproducibility: Enables easy replication of infrastructure environments.
• Collaboration: Facilitates collaboration among teams by using version control
systems.
• Reduced Risk: Minimizes human error and configuration drift.

177
 C.III.4. IaC Tools
Azure Resource
Feature Terraform Ansible Puppet Chef Pulumi CloudFormation Manager
Type Declarative Imperative Declarative Declarative Declarative Declarative Declarative
HashiCorp Python,
Configuration JavaScript,
Language TypeScript, Go,
Language (HCL) YAML, Jinja2 Puppet DSL Ruby and C# YAML JSON
Multi-Cloud
Support Yes Yes Yes Yes Yes No (AWS only) No (Azure only)
State
Management Yes No Yes Yes Yes Yes Yes
Agentless Yes No No No No No No
Complexity Moderate High High High Moderate Moderate Moderate
Learning
Curve Moderate High High High Moderate Moderate Moderate
Multi-cloud Configuration Large-scale Large-scale Multi-cloud
deployments, management, infrastructure, infrastructure, deployments,
complex server centralized centralized complex AWS Azure
Best For infrastructure provisioning configuration configuration infrastructure infrastructure infrastructure
178
 C.III.5.1. Azure Resource Manager (ARM)
• Azure Resource Manager (ARM) is a service provided by Microsoft
Azure for the deployment, management, and monitoring of resources
in the cloud.
• It acts as a layer that allows users to create, update, and delete
resources within their Azure subscription.
• Azure Resource Manager is an IaC for only Azure environment.

179
 C.III.5.2. ARM templates
• ARM templates, are JSON files that define the resources you need to
deploy for your solution.
• ARM template can perform as a blueprint for your Azure applications
or solutions.
• The template has the following sections:
• Parameters : Provide values during deployment that allow the same template
to be used with different environments.
• Variables : Define values that are reused in your templates. They can be
constructed from parameter values.
• User-defined functions : Create customized functions that simplify your
template.
• Resources : Specify the resources to deploy.
• Outputs : Return values from the deployed resources.

180
 C.III.5.3. ARM template Example
• A Script can be written with VsCode (ARM tools extension).
• Link of ARM Templates.
• ARM templates can be executed with Azure CLI ou PowerShell.

181
 C.III.6. Azure Bicep
• Bicep is a domain-specific language that uses declarative syntax to
deploy Azure resources.
• In a Bicep file, you define the infrastructure you want to deploy to
Azure and then use that file throughout the development lifecycle to
repeatedly deploy that infrastructure.

182
 C.III.6. Azure Bicep vs ARM Templates

Feature ARM Templates Bicep

Syntax JSON Domain-specific language

Readability Less readable More readable

Modularity Less modular More modular

Tooling Less advanced tooling More advanced tooling

Learning Curve Steeper Gentler

• Comparison : Bicep vs JSON (Link)

183
 Section C.IV : Describe monitoring tools in
Azure
• Describe the purpose of Azure Advisor
• Describe Azure Service Health
• Describe Azure Monitor, including Log Analytics, Azure Monitor alerts,
and Application Insights

184
 C.IV.1. Azure Advisor
• Azure Advisor is a powerful tool provided by Microsoft Azure to help
you optimize your cloud deployments.
• It analyzes resource configuration and usage telemetry to provide
personalized recommendations on how to improve Azure
environment.

185
C.IV.1.1. Azure Advisor Recommendation
Categories
• High Availability: Advice on how to ensure that your applications and data
are always available and durable. It can suggest actions like enabling zone
or geo-redundancy.
• Security: Recommendations related to enhancing the security of your Azure
resources, based on Defender Cloud’s detection capabilities.
• Performance: Tips for improving and optimizing the efficiency of your
applications and services.
• Cost: Counsel on reducing or optimizing Azure spending by eliminating
waste, such as identifying idle resources or suggesting reserved instance
purchases.
• Operational Excellence: Recommendations center around best
management practices, resource health, and configuration for streamlined
operations.
186
 C.IV.2. Azure Service Health
• Azure Service Health is a valuable tool that provides real-time information
about the health of your Azure services and resources.
• It helps you proactively monitor and respond to potential issues that may
impact your applications and services.

• Key Features of Azure Service Health:

• Incident Notifications: Receive timely notifications about ongoing incidents that may
affect your Azure resources.
• Health Advisories: Get proactive advice on potential issues, such as upcoming
maintenance or known service limitations.
• Resource Health: Monitor the health of individual resources, such as virtual
machines and storage accounts.
• Service Health History: Review past incidents and health advisories to identify
trends and improve future planning.

187
 C.IV.3. Azure Monitor

• Azure Monitor provides actionable insights into the health, availability,

and performance of Azure and on-premises environments by
collecting and analyzing logs and metrics (“telemetry”).
• Uses metrics (ex: VM CPU above 80%) to perform autoscaling (scale
up/down).

188
 C.IV.4. Azure Log Analytics

• Azure Log Analytics is a powerful cloud-based log management and

analytics service that helps you collect, search, and analyze large
volumes of log data from various sources, including Azure
resources, on-premises servers, and other cloud providers.
• It provides a unified platform for monitoring, troubleshooting, and
security analysis.

189
C.IV.5. Azure Monitor Alerts

• Azure Monitor Alerts is a powerful feature within the Azure Monitor

suite that enables you to proactively monitor your Azure resources
and receive notifications when specific conditions are met.
• This allows you to promptly identify and address potential issues,
ensuring the health and performance of your applications and
infrastructure.

190
C.IV.3. Application Insights
• Azure Application Insights is a powerful application performance
monitoring (APM) tool.
• It helps you monitor the performance, usability, and reliability of
your live web applications.
• By collecting telemetry data from your application, Application
Insights provides valuable insights into its behavior, enabling you to
identify and address performance issues, pinpoint errors, and track
user interactions.

191
END of Section C

192
 References (1)
• https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/az-900#skills-measured-as-of-
january-23-2024

• https://www.learnthecontent.com/exam/azure/az-900-microsoft-azure-fundamentals/s/compare-cloud-pricing-
models

• https://www.learnthecontent.com/exam/azure/az-900-microsoft-azure-fundamentals/s/describe-the-consumption-
based-model

• Demystifying the Cloud Consumption Model | Deloitte US

• https://www.stormit.cloud/blog/scalability-in-cloud-computing-horizontal-vs-vertical-scaling/

• https://learn.microsoft.com/en-us/training/courses/az-900t00
• https://cswsolutions.com/blog/posts/2021/september/azure-regions-what-they-are-why-they-matter/
• https://www.pragimtech.com/blog/azure/what-are-azure-data-centers/
• https://news.microsoft.com/source/features/sustainability/project-natick-underwater-datacenter/
• https://learn.microsoft.com/en-us/answers/questions/122986/composite-slas
193
 References (2)
• https://stackoverflow.com/questions/69591165/do-you-know-of-a-good-explanation-for-fault-domains-and-
update-domains
• https://medium.com/version-1/comparing-deployments-option-in-azure-for-web-application-6bc05aafbfdd
• https://appmigration.microsoft.com/assessment
• https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction
• https://learn.microsoft.com/fr-fr/azure/azure-arc/overview
• https://learn.microsoft.com/en-us/azure/advisor/advisor-alerts-arm?toc=%2Fazure%2Fazure-resource-
manager%2Ftemplates%2Ftoc.json&tabs=CLI
• App Service Pricing | Microsoft Azure (VMs Prices)
• https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy
• https://learn.microsoft.com/en-us/azure/vpn-gateway/design#s2smulti
• https://blog.netwrix.com/2024/01/09/azure-storage/#_Azure_Tables
• https://learn.microsoft.com/en-us/azure/frontdoor/edge-locations-by-abbreviation
• https://learn.microsoft.com/en-us/azure/virtual-machines/vm-naming-conventions
194
THE END

Thanks for your attention

QUESTIONS ?
195