-

-
Microsoft Azure
Fundamentals
AZ-900

III-Networking
By Sajjad Ghaffoori
YouTube.com/c/iiinetworking

Page: Facebook.com/iiinetworking
Group: Facebook.com/groups/iiinetworking

@III_Networking

Linkedin.com/in/ sajjad-ghaffoori-6b4674134
Linkedin.com/company/iii-networking

orhanergun.net/instructors/sajjad-ghaffoori
- Microsoft Azure Fundamentals
- AZ-900
- Exam Cost: 100$
- Exam Center: Pearson Vue
- NO Prerequisites
- Acquired Badges: Microsoft Certified Azure Fundamentals
- Expires: 2 years
- Questions: 30-60 MCQ’s
- Exam Length: 60 Minutes
- Azure Certifications
- Course Content
- Cloud Concepts
- Azure Core Services
- Azure Core Networking Services
- Azure Security and Compliance
- Azure Solutions
- Azure Pricing and Resources
Cloud Concepts
- The Cloud
- A host or a Company
- would build a Data center that can server thousands of real networks
- and starts providing you the service in a way
- that they’d completely care about CapEx

- Services that includes whatever you might ever need

- to build and maintain a real network
- you would hear about it, but never see it

- your role would be to operate, benefit, and shutdown

- when you benefit, pay, when not, don’t pay ☺
- Benefits of Cloud Computing
- Pay as you benefit, and pay as you grow (Economic)
- Supports services Vertical Scaling (Scale up) and Horizontal Scaling (Scale out)
- Supports distributed resources per service
- alongside with load balancers between them (Scalable)
- Internal Back-up system is taken already for all the services
- in case of disasters, your data is automatically cloned to another site
- Capital Expenses
- with on-premise networks
- everything, from getting the nodes (servers and appliances)
- till the smallest terminal that connects to the power cable on the power boards
- all the safety, electricity, fire fighting, air cooling, and operation costs are yours
- not just to pay, but to consider, design, think of, consider redundancy
- hire the right teams for it and elect the best provider for each service of these!!
- monitoring and health checks as well are your responsibility (had enough yet!)

- so, equipment costs, operation costs, labor costs, and locale costs
- are yours to consider, monitor, and optimize
- Operational Expenses
- and when it comes to software
- after all the headaches of the hardware part
- operating systems should be provided
- for servers, DNS, Load Balancers, monitors, counters, logging systems
- AND their licenses
- for each of the mentioned operating systems
- and services

- So, how would all that differ with Cloud Computing!

- it depends on the service model
- Service Models
- Infrastructure as a Service (IaaS)
- this is the infra you need
- to install an OS upon and start using
- you can decide the resources
- and Azure will build and operate in seconds
- Platform as a Service (PaaS)
- furthermore, this is an IaaS + an OS installed
- start developing and operating directly
- Service Models
- Function as a Service (FaaS)
- even the development environment is pre-installed
- upon all the previous services mentioned
- Software as a Service (SaaS)
- start benefiting directly
- from a software ready to be consumed
- Shared Responsibility Model
- IaaS
- Azure: service resources, operating resources, and accessibility
- Customer: operating system and beyond
- PaaS
- Azure: service resources, operating resources, accessibility, and OS
- Customer: Application Development and beyond
- SaaS
- Azure: service resources, operating resources, accessibility, OS, and DEV.
- Customer: nothing, just benefit
- Cloud Types and Architecture
- Public Cloud
- online, global, not owned literally by the customer
- partial selective services to be obtained
- secured and protected
- sharing resources with others
- Private Cloud
- an on-premise network of CapEX and OpEX under your responsibility
- Hybrid Cloud
- a mix of both, bridged together, covered with security, and interconnected
Core Services
- Azure Architectural Components
- Geographics
- A geographical location to provide the nearest customers in that area
- normally it would refer to a name of a geographic region on the map
- examples: USA, Canada, Asia, Europe, and Australia
- https://azure.microsoft.com/en-us/global-infrastructure/geographies/#overview
- Regions
- within a geography, there are multiple regions
- as a geography might be large enough
- having more specifically distributed locations would serve closer customer
- in a better way
- Azure Architectural Components
- Availability Zones
- zoom more inside a region
- to find 3 or more AZ’s within
- each can contain one or more Data Centers
- each DC with an independent resources supply

*services hosted within an AZ can be Zonal (you replicate) or Zone-Redundant

(automatically replicated across the AZ’s of a region)
*regions are paired between each other
*AZ’s are interconnected within a region
- Azure Service Control
- Resources Group
- a container (not a tag) that collages your services
- some of them, not all the services
- for easier selective management for those grouped services
- apply one action, all the included components will get affected
- all of which is done by the ARM
- Azure Resource Manager
- one single unified graphical dashboard
- to control the Azure services and all their functions
- Accounting Management
- Azure billing account
- an account for charging and billing
- follows and manages payments and their analytics
- receives invoices and pays them
- for one or more subscriptions
- Azure Subscriptions
- an Azure Resources Account
- group resources in a subscription
- to manage the content of the subscription financially
- Azure Virtual Machines
- Same as the on-premise virtualized, software-based machines
- hosted on Azure and supports more flexibility
- vertical scaling (scale up) for more resources per VM
- horizontal scaling (scale out) for more VM’s per application
- Network or Application Load Balancers between the VM’s
- all of that is named Scale Set
- wide distribution of the VM’s in a different locations for high availability
- Availability Sets
- Azure PaaS Services
- Azure Application Service
- a PaaS with a development environment ready to go
- based on Azure VM
- supports that same Azure VM scalability and HA features
- environments include .NET, Java, Ruby, and Python
- Azure Container Instances (ACI)
- create and deploy containers
- easy and simple to manage
- supports your own containers as well
- Azure Kubernetes Service (AKS)
- Kubernetes on Azure, for high level management of Containers
- Azure Storage Services
- Blob Storage
- object storing on the cloud
- regardless of the structure and the type of the data
- accessed remotely and serves multiple usages
- Disk Storage
- bridged and connected with VM’s
- supports Data disk, and OS disk for real storage
- and temporary disk for one power cycle storage
- File Storage
- shared “Disk” type storage
- supports SMB and NFS
- Azure support for Databases
- Azure SQL Database
- a PaaS having a VM and an OS ready to host an SQL database directly
- SQL Managed Instance
- a PaaS having a VM, an OS, and an SQL empty DB ready to host tables
- support horizontal scaling
- multi-AZ deployment, for HA
- Cosmos DB
- over the regions, highly available, multi-engine Data Base
- supports both Relational (SQL) and non-Relational (non-SQL) DB’s
- deep inquires and analytics
- API’s integration and easy migration
- Azure support for Databases
- other SQL engines
- PostgreSQL is also supported as an SQL engine to be deployed
- on Azure Managed Instances
- Azure provides
- Database Migration Service (DMS)
- with both the online and the offline migration model (method)
Core Networking
Services
- Virtual Networks
- VNets represents the private domain per network
- private IPv4 blocks to be considered
- isolated from other VNets, as they consider a different IPv4 block
- could communicate after peering VNets

- A VNet would run within 1 region, and serves only 1 subscription

- Load Balancers
- High Availability across the AZ’s and Regions
- operates per Address, Port, and Request

- Network/Transport Load Balancers

- Azure Load Balancer
- Azure Front Door
- Application Load Balancers
- Azure Traffic Manager
- Azure Application Gateway (HTTPs)
- VPN Gateway
- An Encrypted tunnel between to TEPs
- private communication or data transportation

- Azure supports
- Site-to-Site: regardless of the nature of the site implementation
- Multi-Site: between distributed sites over the WAN
- Point-to-Site: End-point direct connect to a site
- VNet-to-VNet: this is not VNet peering

*Azure Express Route would always be a good solution for offline connection
- CDN Services
- Azure CND would cache
- your on-cloud content
- for faster delivery, based on the distributed CDN locations

- should be enabled
- to communicate and retrieve/cache content
- for the Azure servers you own
Security and
Compliance
- Types of Defense
- Physical: Azures
- Identity: Yours
- Network: Azures
- Compute: Yours
- Application: Yours
- Data: Yours

- with note, that Firewalls design is yours to implement, Azures to operate and
guarantee its efficiency
- Firewalls Protection
- Azure Firewall
- Full L3 to L7 firewall
- src./dst. Addresses and ports inspection
- application layer content inspection (FQDN)
- Web Application Firewall
- wherever web services are hosted
- on one or group of hosts
- all secured as a group, at layer 7
- Azure DDoS Protection
- analytics, monitoring, and reporting
- against Volumetric, Protocol, and Resource Layer attacks
- Security Groups
- Network Security Groups (NSGs)
- can be applied on a service or a vNIC
- protects based on what is allowed, and denied
- src./dst. Of addresses and ports are matched
- one or more can be applied
- Application Security Groups (ASGs)
- collage services
- apply one bound of NSG to all of them

*UDR is user-defined routes (route manually if you wish to bypass)

- Azure Active Directory
- Full control of Authentication and Authorization
- of all the included parties, individuals
- of the network on-cloud
- can cooperate and exchange info and rules with the on-premise AD
- using Azure AD Connect

- supports MFA, SSO, and RBAC based on

- Security principal, Role, and Scope
- Comes in tiers like: Free, P1, and P2

*RBAC assigns roles of Owner, Contributor, Reader, and User Access Admin.
- Azure Security Tools
- Azure Security Center
- one unified dashboard
- to monitor, analyze, and suggests
- security designs and modifications
- for many different supported complications of networks build
- supports secure score reports
- Azure Key Vault
- secret storage for
- passwords, certificates, token, and crypto keys
- direct integration is support with other Azure services
- to contact and acquire the appropriate authentication perimeter
- Azure Security Tools
- Azure Information Protection (AIP)
- labeling and organizing protection levels of assets
- also clarifying who can benefit/access assets
- furthermore, it can cooperate with Azure RMS for assets encryption

- Azure Advanced Threat Protection (ATP)

- monitoring, reporting, and protecting
- of spotted attacks over the on-premise AD
- Azure Security Tools
- scans and investigates
- on-premise, cloud, or hybrid networks
- for possible threats within the environment
- also mitigate and helps taking action upon those threats

- Azure Dedicated Hosts

- for security and compliance purposes
- some VMs may not share infrastructure with foreign VMs
- which is the classic deployment of on-cloud VMs
- Dedicated Hosts overcome that by ???
- Azure Constraints
- Azure Policies
- written in JSON
- mentions an Azure Service
- applies constrains upon that service
- when having multiple policies per one services
- an initiative can collage them
- Resource Locks
- lock a specific service from being deleted
- only the lock is unlocked, it can be deleted
- another type can be the “ReadOnly”
- read, but don’t modify
- Services to Notice
- Azure Blueprints: carbon template of a full on-cloud network
- Microsoft Cloud Adoption Framework for Azure:
- get culturized about moving to Azure’s cloud
- https://aka.ms/adopt
- Azure Monitor: Full Unified scan and monitor (reporting) for the Network
- Azure Health: An eye on the resource health, patches, upgrades, and maintenance
- Azure Advisor: Automatic optimization report, suggesting how to improve
- Compliance Meeting
- Azure supports compliance standards of: HIPPA, ISO, IEC, NIST, GDPR, and others…
- Privacy: https://privacy.microsoft.com/privacystatement
- Azure OST: www.microsoft.com/licensing/terms/product/ForallOnlineServices
- Azure Trust Center: www.microsoft.com/trustcenter
- Azure Service Trust Portal: https://servicetrust.microsoft.com
Azure Solutions
- Azure IoT & AI
IoT:
- IoT Hub: communication support for IoT devices and hosting Servers
- IoT Central: Visual Dashboard of all the IoT consuming services
- Azure Sphere: IoT development environment for an IoT application from zero
AI:
- Azure ML: development environment and tools for ML data modeling
- Azure Cognitive Services: ML models ready to interact
- Azure Bot Service: mimic ML behavior, testing environments
- Serverless Computing
- where a function would
- power up, operate, calculate, function, and report the result
- all automatically
- Azure Functions
- FaaS, runs based on events
- based on python, java, javascript, C#, powershell…
- Azure Logic Apps
- considered as no-code/low-code automation scripts
- runs based on events
*One can provoke and initiate the other
- Azure DEVOPS
- Azure Artifacts: storing source codes in a repo
- Azure Boards: managing projects, tasks, and follow-ups
- Azure Pipelines: CI/CD support
- Azure Repos: publishing source codes on a repo
- Azure Test Plans: Automated testing for Automation scripts
- Azure DevTest Labs: Automate templates deployment for Azure Services
Pricing and
Resources
- Azure Pricing
- Subscriptions
- Free Trial: One year, limited services
- Pay-as-you-go: based on whatever you operate, no limits
- Member offers: receive an offer to operate based-on
- Purchasing Services
- Enterprise Agreement (EA): 3 years upfront service agreement, enterprises
- Web Direct: classic periodic billing
- Cloud Solution Provider (CSP): mediators for Cloud services
- Billing Zone: https://azure.microsoft.com/en-us/pricing/details/bandwidth
- Azure Cost
- Total Cost of Ownership (TCO) Calculator
- virtually build and estimate an on-cloud network cost
- https://azure.microsoft.com/en-us/pricing/tco/calculator
- Pricing Calculator
- Estimate cost per application
- https://azure.microsoft.com/en-us/pricing/calculator

*Costs might be deducted if Azure did not meet the agreed SLA
- Azure Management
- Azure Portal
- unified dashboard, using ARM
- Azure Powershell
- Microsoft powershell
- built-in Azure dashboard
- same syntax and cooperation
- Azure CLI
- specific CLI syntaxes to communicate with ARM
- Azure Mobile App