AZ900 fundamentals from Adam

 https://www.youtube.com/playlist?list=PLGjZwEtPN7j-Q59JYso3L4_yoCjj2syrM

episode 1

 high availability: service up time, e.g. 99%

 scalability: ability to scale up/out

 elasticity: ability to scale dynamically, e.g. depending on workload

 agility: ability to react quickly

 fault tolerance: ability to remain up and running while some components/services fail

 disaster recovery: ability to recover from disaster, e.g. using region replication

episode 2

  economies of scale

  as scale goes up, average cost per unit drops

episode 3

  capital expenditure (CapEx)

  own infrastructure

  big investment initially to purchase hardware, but later on hardware cost is low

  ongoing maintenance cost

  Operational Expenditure (OpEx)

  rent infrastructure

  pay as you go

  minimal maintenance

episode 4:

consumption based pricing model

pay for what you used, compute + storage + network

episode 5:

infrastructure-as-a-service (IaaS)

-networking, hardware, and virtualization

platform-as-a-service

- operating system, middleware/software (dev tools, sql, logic app), runtime (iis docker)

software-as-a-service

-data and apps, out-of-the-box applications, e.g. outlook, skype, onedrive, etc.

episode 6

deployment model

private cloud, you host everything, CapEx, need IT skills

public cloud, microsoft hosts everything, may not meet security/compliance requirements

hybird, a mixed of private and cloud, more expensive, complicated, need IT skills

episode 7

data center, a set of servers, independent power, cooling and networking

region, 1 or more data centers connected with low latency network, e.g. au east, au west

not all services are available in every region

some services (AD, DNS) are global, not specific to any region

US government region, china partnered region

Availability zone

each data center is a zone

can replicate service  onto multiple availability zones to have zone redundancy

region pair

replicate to a paired region, e.g. au east-> au west to avoid natural disaster

geography

europe, asia pacific, middle east, etc.

regions are grouped into geographies

ensure dta residensy, sovereighty, compliance and compliance are met

protect from region wide failures

episode 8

resource, resource group and resource manageer

everything is a resource, with a JSON definition of all the properties

resources are grouped into resource group.

A resource group is logical and for free. It has its own region for storing information, and a resource within it can be at another region.

Many ways to group resources, type, lifecycle, billing, region, etc.

e.g. all sql servers in one resource group

     all dev resources (db, network, vm, etc.) in one group

all resources from a department in one group

resource manager is a management layer for all resources and resource groups.

We can use azure portal / rest / powershell / CLI /SDKs to create and manage resources.

They all connect to the Azure Resource Manager (ARM) later using a unified language.

episode 9

'Compute' resources in Azure

virtual machine gives you good control of everything, but no autoscale, only one node. You can still add extra cpu memory though.

virtual machine scale set, autoscale by replicating your virtual machine as per load balance, one or  multiple nodes

Container, is more lightweight than VM. IaaS

VM needs a layer of virtualization software to simulate hardware for each VM. Each VM has its own operating system.

Container needs a layer of container runtime to simulate operating system of the host. 

Azure Container Instances can host Container Group (a VM) where multiple containers can be run. This is platform-as-a-service while VM is IaaS.

Azure Container Instances can host zero up to 20 nodes. No autoscaling. Still give you some control of the operating sys/software.

Kubernetes Services provides autoscaling for containers, 3-100 nodes as per load balance, PaaS

Azure app service

If you dont want to manage containers, Azure app service can be an option

Just build web app into a package, and deploy to app service. App Service will create nodes to run app, autoscale. 

Azure function is based on Azure App service. 

instead of running a web app, you can package a simple function and deploy it. Azure function creates nodes to run the function as web service. Serverless. designed for micro/nano-service. PaaS

episode 10

networking

   Virtual Network

  for only one region, so multiple networks if multiple regions

  VNET gateway/VNET peering connects on-prem and cloud, cross VNET communication

  VNET is divided into subnets

  subnets is for address allocation, network security group setting

  In virtual network, search for diagram, it will show the network structure

   Load Balancer 

for non HTTP traffic distribution onto VMs 

    separate load balancers for web layer, and for data layer for example

the former is called public load balancer, the later is called internal load balancer

   App gateway

    for HTTP traffic distribution onto VMs / App services

extra http related features, session, url routing, ssl termination, redirection, etc.

   Content Delivery Network CDN

    deliver web content (e.g. static image, stylesheet, java script static pages) to users

duplicate content onto many POP (points of presence) locations in different regions

users connect to nearest POP

episode 11

  Azure storage account

  Blob Storage (binary large object) or basically can be any file

     container and files

cool, hot or archive tiers. Hot: frequent access, cool: occasional access, archive: rare access

  File Storage

     same as blob storage except designed for share drive only.

use file sharing protocol so it can be mounted to windows, linux as a drive.

  Table Storage

      semi structure data

  table structure, need to specify partition key and row key for quick access.

  but no schema constraint, can put in any column, any type

  Designed for NoSQL storage

  Queue storage

      store small messages in queues

  Disk storage

      simulate a hard disk for virtual machine, SSD or HDD

  can choose unmanaged (i.e. on blob and managed yourself), or managed (microsoft manages it)

episode 12

cosmos db, geographically distributed NoSQL database, designed for low latency

Azure SQL Server, MySQL, PostegreSQL

Some Azure SQL Server features have been cut, e.g. ssis, ssrs, ssas, you may use data factory, power bi, and analysis server instead in azure.

SQL Managed Instance, fully capability version of SQL server, but pricy

SQL Data Warehouse (Synapse), sql server for massively parallel processing, big data warehousing

SQL VM, VM for SQL server, managed by users

episode 13

marketplace

 - commercial marketplace, azure, power bi, office 365, for business users

 - azure, for developers and IT pros

episode 14

IOT

 -IOT Hub, managed service for bi-directional communication with IOT devices, PaaS

  once create a device, copy connection string and configure on the device so the device can send data to IOT hub

  good for building apps from scratch

 -IOT Central

  built on top of IOT HUB, provides a lot of templates to avoid building apps from scratch

  This is an IOT application platform, SaaS

 -Azure Sphere

  End to end approach for building IOT solutions

  provides hardware, chips - MCUs

  sphere OS based on LINUX

  Azure Security service for device to cloud communication

Side notes:

Difference between IOT hub, Event Hubs and Event grid

IOT Hub focuses on connecting IoT devices to the cloud.

It connects to physical devices, and can receive and send messages, so two-way communication with devices.

Event hub, is used by IoT hub for telemetry flow path, but IoT Hub can also receive files, notifications,etc.

Event hub focues on big data streaming.

Event Grid, is for distributing events to subscribers.

An use case is using event hub to capture web site telemetry, and event grid to respond to telemetry event like item shipped.

episode 15

  synapse

    big data analytics platform (PaaS)

    - Studio includes components

  -- pipelines (data factory)

  -- spark

  -- synapse SQL

-easy communication with azure datalake

  Azure HDInsight

    Flexible multi-purpose big data platform (PaaS)

    - big data clusters (support Hive, Spark, Kafka, Hbase, Storm, etc.)

  Azure databricks

    big data collaboration platform (PaaS)

    built on top of spark

a unified workspace for notebook , cluster, data, collaboration, etc.

integrate very well with common azure data services, e.g. datalake

episode 16

  Azure Machine learning

  - Machine Learning Workspace, the top level resource that ties together compute, pipeline, experiment, connection, storage, deployment, everything 

  - Studio, web portal

  - features include

    -- notebooks, python/R

-- Auto ML, run multiple algorithms/params to choose the best model

-- designer is a drag and drop type of interface 

-- Data and Compute, manage storage and compute resources

-- pipelines, orchestrate model training all the way to deployment, monitoring and retraining

episode 17

 serverless

 - Azure Funciton, Function-as-a-service, application development platform for nano-services, auto scale. Called through web service.

 - Logic Apps, PaaS, no-code development of workflow orchestration /business process. many connectors available for storage, email, events, etc. It can be triggered by different events, e.g. a blob file uploaded, web, office, email, etc.

 - Event Grid, event routing services. Incoming events are grouped by topics, subscribers receive events by subscribtion.

Episode 18

  DevOps Services

  - Azure DevOps, a collection of tools for DevOps practices, including Boards (e.g. Scrum), Pipelines (CICD continous deployment), Repo (e.g. git), Artifects (manage project deliverables), and test plans.

  - DevTest labs

    provide sandbox environments (VM) with templates, PaaS

quick setup of virtual machines by selecting OS, size, software, tools

can apply lab policies on quotas, sizes, etc.

episode 19

  Azure portal - web portal for self-service

  Azure PowerShell - run from local computer to interact with  Azure, use script and command lines

  Azure CLI - similar to powershell but syntax is more linux, also run from local computer

  Azure Cloud shell - supports both powershell and CLI command line from azure portal

episode 20

  Azure advisor

  Provide recommendations and best practices for cost, security, performance, etc.

  Can click on the actionable recoomendataions links to go to the pages for implementation.

Episode 21

  - Network security group

    like firewall setting, apply to a vnet or a subnet to filter traffic

  - Application security group

    a logical grouping of virtual network resources, e.g. all web servers into an group

so as to apply filtering rules on the logical groups instead of IPs.

Episode 22

  Route table

  - custom/user defined routes (UDR)

  e.g. within a virtual network, there are 3 subsets: A, B and C

  normally A can connect to C directly, but now we want to re-route the traffic from A -> C to A->B->C, where B has a VM server (virtual appliance) for traffic inspection

  -- create a route table resource, associate the route table with subnet A, so it applies to all traffic from A

  -- create a 'route' and select C as the address prefix so all traffic going to C will be rewritten

  -- configure the next hop as a Virtual Appliance (a special VM with firewall), and put it the VM's IP as next hop address

  Done, now all traffic A->C will be directed to B for inspection first and then further forwarded to C.

Episode 23

  Azure firewall 

  PaaS, firewall as a service

  Traffic filtering rules, support FQDN (fully qualified domain name) and inspect body content, etc.

  This can replace the Virtual Appliance (special VM with firewall) for traffic inspection, no VM is needed.

Episode 24

  Dos and DDos, denail of service, which flood the target with a lot of requests.

  The basic DDos is automatically enabled for azure, e.g. app service, to block malicious traffic while allowing legitimate traffic

  It also prevents the app service from unnecessary scale-up.

  Standard DDos protection plan can be created separately to provide extra protection. Just need to create a DDoS plan resource and associate it with the virtual network to be protected.

episode 25

  Identity, represents user, user group, application

  Authentication, the process to verify an identity

  Authorization, the process to verify an identity has access to something

  Azure Active Directory (AD)

    - provide identity management

- access management, roles, role assignment, authentication and authorization settings

- can be used by multiple platforms, azure, office 365, live.com etc.

- can sync with on-prem AD

    - support multi factory authentication MFA

  -- verify identity using multiple factors, password, phone, token, fingerprint, gps, etc.

episode 26

   Azure security center

   provide security management services

   continuous security assessment and recommendation, the recommendation is also integrated in Azure Advisor

   two tiers:

     - free, no Azure defender, only assessment and recommendation

- paid, with defender, also security protection, scanning, just-in-time access etc.

episode 27

   Key Vault,

   A service for storing sensitive information

   - keys, like disk encrytion keys

   - secrets, username/password

   - certificates

   integrated with azure services, vm, logic app, data factoyr, etc.

episode 28

  Role-based Access Control RBAC

  Role, what you can do, read, write, owner, etc.

  security principal, a user, group, service principal, managed identity

  scope, where you have access to

    -different levels, management group, subscription, resource group, resource

episode 29

  lock is for locking resources from deletion or modification

  lock applies to subscription level and down, not management group

  lock supports only 'delete' or 'read only' types

  only owner and admin can managed locks

episode 30

  tags, key-value pairs to assigned to a resource

  can't inherit tags to sub resources, except using policy to allow tag inheritence.

  extra properties associated with resources for ,e.g. billing purpose, tracking by tags (department, type of resources, etc.)

episode 31

  policy is an if/else check (e.g. location=AU), and return effect (accept / deny / audit, etc.)

  initiative is a policy bundle

  policy can applied to different levels/scopes, management group and down

  for compliance, security, cost management, etc

  Note, policy is about resource properties, and RBAC is about user's action

episode 32

  azure blueprint

  it describes a package of components (common roles, policies, arm template for resources, etc) that apply to a resource group.

  The components are also called artifacts. When creating a blueprint, you need to provide those artifacts, e.g. the JSON template for a resource.

  Once create a blueprint (or use an existing Azure blueprint, e.g. iso9001 blueprint) you can assign it to a resource group, and those roles policies, etc. will be applied automatically. It will also ask about the parameters of the artifacts, e.g. resource group name

episode 33

  Cloud Adoption Framework is a set of tools, best practices, guidelines and documentation for moving to the cloud

  It contains a few stages:

    - strategy, why move and how to provide business value

    - Plan, actionable plan 

    - ready, prepare and align users, processes and environment

    - adopt, start moving by plan, migrate/innovate

    - govern, compliance security standards

- manage - manage monitor and optimize environment

episode 34

  Microsoft Privacy Statement, use of personal data for all MS offers, cloud, office, etc.

  Online Services Terms, license terms for online products, e.g. cloud, office365

  data protection addendum, appendix of online services terms to further specify processing of personal data

  Trust center, one stop for reviewing security, privacy and compliance of online services

  Azure compliance documentation, compliance doco just for Azure

  Azure sovereign regions, us government, china, special isolated regions.  

episode 35

   cost affecting factors

   - resource types

   - services, e.g. enterprise, web direct, csp from partner, billing cycle, discount, etc

   - location/region

   - bandwidth - network traffic for uploading and downloading data

Episode 36

 reservation, reverse resource for 1 or 3 years in advance

 spot pricing, unused VM, but can lose anytime

 hybrid use benefit, use existing license

 Pricing calculator

 TOtal Cost of Ownership TCO calculator, compare on-prem vs azure

episode 37

 cost management

 cost analysis, reporting dashboard

 cost budget, set budget for period, e.g. month, quarter

 cost alert, alert on cost

 cost recommendataion

episode 38

 SLA, calculated monthly

 each service has its own SLA, from 99% to 99.999%

 free service doesn't have SLA

 composite SLA is the multiplication of every resource in an application

 to improve SLA, add in redundancy/load balancing, add availability zones, improve service tiers

episode 39

 service lifecycle

 development, public preview, general availability

 there may be private preview during development as well

 public preview is for testing purpose