Important Notes for Microsoft Azure Fundamentals (AZ-900) exam

Surya Prakash Garg
14 min readAug 6, 2020

Recently I passed AZ-900 exam with 980 marks out of 1000, so I decided to help others by producing this article where I will list down keynotes, which could be important from the exam point of view, this will be a long article but could be used as a Cheatsheet to revise

In no way, this replaces Microsoft’s learning path or other learning platforms which are key for passing the exam.

Virtual Machines

Virtual machines are really important from exam point of view, most of the questions revolve around that

  • Virtual machines are Infrastructure as a Service (IAAS) service, where computing power is provided by Azure (Including vCPU, RAM, IOPS, Operating System and environment)
  • Cost of a virtual machine depends on factors like region used for hosting, operating system because of license cost, duration of the operation.
  • While creating a virtual machine you need to add a disk to store the Non-OS data, files etc. This means even if you stop the virtual machine, you still pay for the associated storage.

SLA w.r.t Virtual Machines

  • Two or more machine instances deployed across two or more availability zones in the same region — SLA of at least once instance would be 99.99%
  • 2 or more machine instances deployed in the same availability set SLA would be 99.95%
  • Single machine instance using premium storage of all OS disks and Data disks VM connectivity SLA would be 99.9%

Availability Set vs Availability Zones

The availability set refers to logical grouping a set of virtual machines for isolating their resources from each other when they’re deployed. Azure makes sure that the VMs you place within an availability set to run across multiple physical servers, compute racks, storage units, and network switches. So if a hardware or software failure happens, only a subset of VMs are impacted, allowing your overall operation to continue.

The availability set does not protect you from Datacenter failures. Each of the VM within the same availability set has different fault domains (up to 3) and different update domains (up to 20).

The availability zone protects your Datacenter failures, because here the logical group is separated by the physical location of the data center, but within the same region.

Availability Zone does not protect you from Disaster recovery caused due to a regional failure. The availability zone provides better availability than availability sets. It does not cost additional to use more than one availability zone, however you still pay for no. of VMs you create.

Availability zone vs zone

Zone is a geographical grouping of Azure Regions for billing purpose. Data transfer pricing is based on the Zones. For Zone details, please refer to FAQ below.

Availability Zone is an isolated location inside of an Azure Region, and has its own independent power source, network, and cooling. The physical and logical separation of Availability Zones within an Azure region protects applications and data from zone-level failures. Availability Zone data transfer pricing is based on Availability Zones.

Subscription, Resource Groups, resources and tags

  • Permissions applied to a subscription are inherited to a Resource group and permission applied to a resource group is inherited to a resource.
  • If you delete a resource group, all the resources within that resource group are deleted.
  • You can apply multiple locations within the same resource group, irrespective of the location of the resource group.
  • An Azure subscription is a logical container used to provision resources in Azure. It holds the details of all your resources like virtual machines (VMs), databases, and more. When you create an Azure resource like a VM, you identify the subscription it belongs to. As you use the VM, the usage of the VM is aggregated and billed monthly.
  • You can have many subscriptions within the same Azure account, you can set up multiple invoices within the same billing account. To do this, create additional billing profiles. Each billing profile has its own monthly invoice and payment method.
  • If you want to increase the spending limit of a subscription, you need to contact Azure support.
  • Another important aspect is Tags, Tags can be used to logically organize resources, Once you apply tags, you can retrieve resources based on tags, you can also create billing reports based on tags
  • Example Tag name -> Department
    Tag Value -> HR

Managing your Azure Resources

Azure resources can be managed from Azure Portal, Azure Command Line interface (CLI), Powershell and Cloud shell.

Azure CLI, Powershell, and Cloud Shell are compatible with Linux, MacOS and Windows, not on other OS.

Azure portal and azure Cloud Shell are browser-based, hence it doesn’t matter which operating system you are using.

In order to use the Azure cloud shell, you need a storage account

Azure Lock — Locking Resources

Locking resources can help ensure users (even admins) don’t accidentally delete or modify resources
2 Types of locks
- Can not delete — user can read/modify a resource, but can’t delete the resource
- Read only — user can read the resource, but they can’t delete or update the resource.

If an admin wants to delete a locked resource, he must first remove the lock and then delete.

Azure Firewall

This is a managed, cloud-based network security service, which can protect network resources

Features Threat Intelligence — which can filter incoming requests and alert or deny traffic from/to malicious IP addresses and domains

The firewall itself has built-in high availability, it can scale automatically based on network traffic flows

Azure Virtual Network

  • An Isolated network in Azure used to host azure resources like Virtual Machines
  • Virtual Network gets assigned an address space (user defined), you can then add subnets (logical network segments).
  • If you want to keep a VM separate from all other resources in Azure, you must create that in a separate Virtual Network.

Network Security Groups

A network security group is attached to the network interface of the virtual machine.

It consists of Inbound rules to control incoming traffic, by default all incoming traffic is disallowed, you need to modify this to ensure incoming traffic

It also consists of outbound rules, by default all outgoing traffic is allowed, you need to modify NSG outbound rules to disallow any outgoing traffic, e.g. if you want to restrict internet access on a Virtual machine.

Traffic Manager vs Load Balancer

  • Traffic Manager does DNS based routing
  • Traffic Manager can route the traffic in different regions because it does the DNS based routing
  • Traffic Manager works at global level
  • Traffic Manager routes traffic based on

-> Priority — Route traffic based on the decided priority

  • > Weightage — % load defined on the end point i.e. 50–50 or 80–20
    -> Performance — you want end users to use the “closes” endpoint to avoid network latency
    ->Multivalue — Different end points are suggested and client decides where to route the traffic
    ->Geographic — Based on geographic locations
    ->Subnet — To defined set of IP addresses
  • Load Balancer does Network-based routing i.e. IP based
  • Load Balancer can route the load in within the same region
  • Load Balancer works at a Region level

Other Important network topics

Azure Storage Accounts

General-purpose v2 accounts — Mostly recommended. Provides the blob, file, queue and table service.

General-purpose v1 accounts — Provides the blob, file , queue and table service, but is the older version, use V2 as much as possible

BlockBlobStorage accounts — Provides premium performance for storing block or append blobs.

FileStorage accounts —Provides premium performance for file-only storage.

Blob service

This is object storage for the cloud. Recommended for storing unstructured data on the cloud, images, documents, video and audio files.

A container is must within blob to store the blob objects. Three types of blob

Block blobs — used for storing text and binary data.

Append blobs — ideal for logging data.

Page blobs — used to store virtual hard disk files for Azure virtual machines.

A blob gets a unique URL which can be accessed using the right permissions

File service

  • Used to store files that need to be accessed by machines using the SMB (Server Message Block) protocol, In the File service, you can first go ahead and create a file share.
  • You can then mount this file share from different machines. You can’t mount drives with the Blob service.

Table service

  • Used to store NoSQL data or table-like data.

Queue service

  • Use this if you want to exchange messages between components of your application

Storage Account Replication

Data in an Azure Storage account is always replicated three times in the primary region.

Different replication techniques available

Locally-redundant storage (LRS) — Synchronous replication three times within a physical location in the primary region.

Zone-redundant storage (ZRS) —Synchronous replication across three Azure availability zones in the primary region. Protects data in case of a Datacenter failure

Geo-redundant storage (GRS) — Synchronous replication three times in the primary region, then asynchronous replication to the secondary region. Protects data in case of a Disaster in the region.

Read access Geo-redundant storage (RA-GRS) — Synchronous replication three times in the primary region, then asynchronous replication to the secondary region. Data in the secondary region is also available for read-only purposes.

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

Azure Storage Accounts — Access tiers

Helps in cost optimization with respect to data storage

  1. Hot — Optimized for frequent data access.

Advantage — Low access cost, faster access

Disadvantage — High storage cost

2. Cool — Optimized for storing infrequently accessed data which is stored for at least 30 days. This can be set at the account level.

Advantage — Low storage cost than Hot

Disadvantage — High access cost than Cool

3. Archive tier — Optimized for storing rarely accessed data which is stored for at least 180 days. Can be set at Blob and storage account level.

A Blob in an archive tire can only be accessed after rehydration.

Advantage — Lowest storage cost

Disadvantage — Highest access cost

Azure SQL Database

  • Relational, cloud-based, SQL server database
  • Platform as a service
  • Provides automated backups. This reduces the burden of managing backups.
  • Service level agreement of 99.99%

Azure Synapse Analytics (formerly k.a Azure SQL Data warehouse)

  • enterprise data warehousing and Big Data Analytics
  • Data is usually stored in this after performing ETL operations

Azure Data lake

  • highly scalable public cloud service that allows developers, scientists, business professionals, and other Microsoft customers to gain insight from large, complex data sets. As with most data lake offerings, the service is composed of two parts: data storage and data analytics.
  • Customers can provision Azure Data Lakes to store an unlimited amount of structured, semi-structured or unstructured data from a variety of sources.

Azure Cosmos DB

- Multimodel, supports multiple APIs
- Provides highest 5 Nine or 99.999% availability
- Guarantees < 10MS latencies on both, Reads (indexed) and writes at the 99th percentile, all around the world
- Every partition of data is protected by a replica set
- All writes are committed to all the replicas
- The replicas are distributed across 10–20 fault domains

Charge

— Charged based on the number of requests units and storage consumed

- Request Unit → Blend of % Memory, %CPU, %IOPS

- You consume RU when you add, delete,iinsert,drop
- Azure cosmos DB is most expensive

Azure Logic Apps

Cloud service to schedule, automate, and orchestrate tasks.
- Apps to add workflows, or event
- Logic App needs to be designed using a workflow in Azure Logic Apps
- Has a Logic block designer
- Needs a trigger to start the Logic Apps
- Logic app engine creates a logic app instance, once it is triggered

Azure Functions

  • Functions as a Service
  • Service allows to run small piece of code as functions
  • Underlying structure is managed by Azure
  • You only get billed the amount of the time the Function is run
  • Function needs to be invoked by an App or web app
  • You can use a variety of languages like C#,Java,JavaScript, PowerShell and Python
  • You can use libraries like Nuget and NPM

Azure functions can be invoked using
- Another service
- Time functions
- Events

Azure functions plans
- Consumption Plan — Pay for the time the code runs
- App Service Plan — If you are using an app service plan that runs a web application, you can reuse the same plan to run Azure functions
- Premium plan — You get a number of Pre-warmed instances that are always online and ready to run your functions.

Azure AD

In Azure AD you can create
— User
— Group
— Service Principal
MFA can be created

The Azure AD Free edition has an object limit of 5,00,000.

Conditional Access Policies are available when you have Azure AD Premium P2 license
Conditional access policies are applied under security

Azure AD guarantees at least 99.9% availability of the Azure Active Directory Basic and Premium services. The services are considered available in the following scenarios:

  • Users are able to login to the service, login to the Access Panel, access applications on the Access Panel and reset passwords.
  • IT administrators are able to create, read, write and delete entries in the directory or provision or de-provision users to applications in the directory.
  • No SLA is provided for the Free tier of Azure Active Directory.

RBAC
— Role based access control allows fine-grained access control
— Can be applied at the subscription level, resource group level, or resource level

Azure Advanced Threat Protection

  • Cloud based security tool, to identify detect, and investigate advanced threats, compromised identities
    - This service can be used to protect identities and credentials stored in the Active directory
    - You can also install it on AD domain controllers, you need to install an azure ATP sensor on the domain controller.
    - Can be used to identify and investigate suspicious user activities and advanced attacks.

Azure DDos Protection

  • Protects against Distributed deniel of service attacks
  • Biggest concern for companies when they expose their applications to the internet
  • Two plans

Basic — Automatically enabled, monitors traffic in real-time and mitigates common network level attacks

Standard — (Paid)
Real-time attack metrics and diagnostic logs via an azure monitor

you can get help from DDoS experts during a live attack

Azure Blueprint

- Allows you to define a repeatable set of azure resources
- Can adhere to an organizations’ stds , patterns and requirements
- You can orchestrate the deployment of resources such as role assignments, policy assignments. azure resource manager templates and resource group

Difference between Blueprint and Resource Manager
— you can use blueprints to upgrade several subscriptions at once
— the relationship between blueprint defintion and blueprint assignment is reserved

Azure AD Identity protection

Can help detect suspicious actions related to user identities
Helps add more security to the sign-ins to your azure AD account
Help detect
— Unfamiliar sign in
— Anonymous sign in
— Sign in from infected devices
— Sign ins from IP addresses with suspicious activity
— Users with leaked credentials
— Impossible travel to atypical locations

Azure AD privileged identify management

  • Can help manage, control and monitor access to important resources
  • Can provide a JIT previledged access to Azure AD or resources
  • Access can be time bound
  • Enforce multi factor authentication to activate any role
  • Get notified when privilege roles are activated
  • Conduct access reviews to ensure users still require the roles.

Azure Information Protection

  • This is a solution that can help an org classify and protect it’s docs and emails by applying labels
  • The labels can be applied automatically by administrators through the user of rules and conditions
  • The labels can use visual markers on documents to tell the user about classfication of document.

Azure Security Center

  • This is an Infrastructure security management system
  • you can use this tool to improve the security of Azure based and on prim resources as well
  • It has in built support for services such as Azure virtual machines, Function apps, Azure SQL server databases
  • ASC can recommend on on prim windows and linux servers
  • On this servers a Microsoft Monitoring Agent is must
  • This also helps detect and prevent threats at an infra layer

Azure Policies

  • Helps in the governance of your Azure Resources
  • Here you can use the in-built rules or create your own rules to enforce governance for resources defined in Azure
    Example
    — Resource groups can only be created if they have a certain tag attached
    — When a VM is created, it needs to be of a certain SKU size

Azure Key Vault

  • Helps you perform secret management, you can store tokesn, password, certificateds, API keys and other secrets
    - You can also create encryption keys in this service
    - You can provision SSL (Secure Socket layer) or TLS (Transfer Layer securty) certificates
    - All of the secrets and keys are safeguarded by Azure, using industry standard algorithms
    - You can monitor all the key vault activity by enabling logging, the logs can be sent to an Azure Storage Account, to an event hub or to Azure monitor logs

Private and Public Preview

  • Private preview is for specific customers, or you need to contact microsoft for trying it out.
  • Public preview available for all the customers
  • No SLAs applicable on the service in preview mode

Private preview is for specific customers, or you need to contact microsoft for trying it out.

Public preview available

No SLAs applicable on the service in preview mode

Azure Machine Learning

  • Data prediction, outcomes and trend
    -Machine Learning Studio — Drag and Drop
    Cloud based environment for preparing data, train the data, testing, deployment and managing machine learning models.
    ML Studio has pre build and pre configured machine learning studio

Log Analytics Workspace

An environment to store log data
Can collect data from various data sources
— Azure resources
— On prim computer (using Windows Agent)
— Azure Storage
— Diagnostic Tool
It’s a Global feature, doesn’t need to be in the same region as resources

Azure DevOps (Different portal then Azure Portal)

This is a complete set of tools that can help teams to plan work, collaborate on code development and build and deploy applications
Following Services
— Azure Repos — Git repository or TFS
— Azure Pipelines — Build and release services for continuous integration and release
— Azure Boards — Helps to plan and track work items
— Azure Test Plans — Tools for testing purposes
— Azure Artifacts — Team to share Maven, npm and NuGet packages

Application Insights Service

  • Application Performance Management tool for web developers
    - Can be used to monitor applications
    - Can help developers detect anomalies in the app
    - Can diagnose the app
    - can help understand usage
    - can help improve performance and usability of application
    - Various Insights
    - Request Rates
    - Response Times and failure rates
    - Funnels
    - User Flows can be
    - Impact
    - Retention

Azure Advisor

Recommendations on
— Cost
— Security
— High Availability
— Operational Excellence
— Performance

Kubernetes

Container orchestration system
Open source platform that can be used to manage containerized workloads
Can provide DNS name to your container
Can load balance and distribute the traffic
Can restart the container that fail
Can be used to replace or kill containers
Can also save sensititive information like passwords, OAuth tokens and SSH keys

Other Important Points

Data Transfer within the same region in not charged. For example, an Azure SQL database in the same region will not have any additional data transfer costs.

Data Transfer between azure services located in two regions Outbound data transfer is charged at the normal rate and inbound data transfer is free.

Spending Limit on subscription is fixed, it can be removed but can not be increased or decreased. Spending limit is equal to amount of reflected credit. Spending limit does not apply to Pay as you Go or Reserved plans

A standard support plan is the cheapest support option available in Azure for availing 24X7 Phone and Email support

Important Links

https://azure.microsoft.com/en-us/free/free-account-faq/

https://azure.microsoft.com/en-us/pricing/details/bandwidth/

https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-in-transit

https://azure.microsoft.com/en-in/support/plans/

https://azure.microsoft.com/en-us/support/legal/sla/summary/

--

--

Surya Prakash Garg

A Power BI and Data science enthusiast, learn by helping others, connect with me on Linked in https://www.linkedin.com/in/spgarg/