AZ-900T00

Learning Path 02:

Azure
Architecture and
Services

© Copyright Microsoft Corporation. All rights reserved.

Learning Path Outline

© Copyright Microsoft Corporation. All rights reserved.

Learning Path 02 – Outline
You will learn the following concepts:

 Azure Architectural Components

• Regions and Availability Zones
• Subscriptions and Resource Groups
 Compute and Networking
• Compute types
• Application hosting
• Virtual networking
 Storage
• Storage services
• Redundancy options
• File management and migration
 Identity, Access, and Security
• Directory services
• Authentication methods
• Security models

© Copyright Microsoft Corporation. All rights reserved.

Azure Accounts

• Azure account
• Azure free account
• Azure free student account
• Microsoft Learn sandbox

© Copyright Microsoft Corporation. All rights reserved.

Walkthrough – Create an Azure Account

Create an Azure free account

1. Create an Azure free account

© Copyright Microsoft Corporation. All rights reserved.

Exercise – Explore the Learn sandbox

Explore the Learn sandbox

1. Activate the sandbox

2. Use PowerShell
3. Shift to BASH
4. Shift to Azure Interactive
mode
5. Navigate the portal

© Copyright Microsoft Corporation. All rights reserved.

Azure architectural components

© Copyright Microsoft Corporation. All rights reserved.

Core Azure architectural components – Objective
Domain
• Describe Azure regions, region pairs, and sovereign regions.
• Describe Availability Zones.
• Describe Azure datacenters.
• Describe Azure resources and Resource Groups.
• Describe subscriptions.
• Describe management groups.
• Describe the hierarchy of resource groups, subscriptions, and
management groups.

© Copyright Microsoft Corporation. All rights reserved.

Regions

Azure offers more global

regions than any other
cloud provider with 60+
regions representing over
140 countries

• Regions are made up of one or more datacenters in close

proximity.
• Provide flexibility and scale to reduce customer latency.
• Preserve data residency with a comprehensive compliance
offering.
© Copyright Microsoft Corporation. All rights reserved.
Availability zones
Azure Region
• Provide protection against downtime
Availability Zone 1 Availability Zone 2
due to datacenter failure.
• Physically separate datacenters within
the same region.
• Each datacenter is equipped with
independent power, cooling, and
networking.
• Connected through private fiber-optic
networks. Availability Zone 3

© Copyright Microsoft Corporation. All rights reserved.

 Region Region
Region Pairs North Central US​ South Central
US​
East US​
West US 2​ West US​
US East 2​ West Central US​
• At least 300 miles of separation Central US​
Canada Central​
between region pairs. North Europe​ Canada East​
UK West​ West Europe​
• Automatic replication for some UK South​
Germany
services. Central​ Germany
Northeast​
• Prioritized region recovery in the South East Asia​
East China​ East Asia​
event of outage. Japan East​ North China​
Japan West​
• Updates are rollout sequentially to Australia
Southeast​ Australia East​
minimize downtime.
Web Link: https://aka.ms/PairedRegions India South​ India Central​
Brazil South South Central
(Primary)​ US ​

© Copyright Microsoft Corporation. All rights reserved.

Azure Sovereign Regions (US Government services)

Meets the security and compliance needs of US federal agencies, state and
local governments, and their solution providers.

Azure Government:
• Separate instance of Azure.
• Physically isolated from non-US government
deployments.
• Accessible only to screened, authorized
personnel.

© Copyright Microsoft Corporation. All rights reserved.

Azure Sovereign Regions (Azure China)

Microsoft is China’s first foreign public cloud service provider, in compliance

with government regulations.

Azure China features:

• Physically separated instance of Azure cloud
services operated by 21Vianet
• All data stays within China to ensure compliance

© Copyright Microsoft Corporation. All rights reserved.

Walkthrough – Explore the Azure Global infrastructure

Explore the Azure global

infrastructure

1. Select Explore the Globe

(after intro).
2. Notice the different icons
(geography, regions, points of
presence (PoP), and so on).
3. Find your location on the
globe, then find the nearest
PoP and region to your
location. © Copyright Microsoft Corporation. All rights reserved.
Azure Resources
Azure resources are components like storage, virtual machines, and
networks that are available to build cloud solutions.

Virtual Machines Storage Accounts Virtual Networks

App Services SQL Databases Functions

© Copyright Microsoft Corporation. All rights reserved.

Resource groups
Resource groups
(web + DB, VM, Storage) in one
A resource group is a container to group

manage and aggregate resources in a

single unit.
• Resources can exist in only one OR
resource group.
• Resources can exist in different
regions.
Web and Virtual
• Resources can be moved to DB machine Storage
resource resource resource
different resource groups. group group group

• Applications can utilize multiple

resource groups.

© Copyright Microsoft Corporation. All rights reserved.

 Azure Subscriptions

An Azure subscription provides you with

authenticated and authorized access to
Azure accounts.
• Billing boundary: generate separate
billing reports and invoices for each
subscription.
• Access control boundary: manage
and control access to the resources
that users can provision with specific
subscriptions.

© Copyright Microsoft Corporation. All rights reserved.

Management Groups

• Management groups can include

multiple Azure subscriptions.
• Subscriptions inherit conditions
applied to the management
group.
• 10,000 management groups can
be supported in a single directory.
• A management group tree can
support up to six levels of depth.

© Copyright Microsoft Corporation. All rights reserved.

Exercise – Create an Azure resource

Create an Azure resource,

monitor the resource group for
needed resources being created
in the same group

1. Create a virtual machine.

2. Monitor the resource group.

© Copyright Microsoft Corporation. All rights reserved.

Compute and Networking

© Copyright Microsoft Corporation. All rights reserved.

Compute and Networking- Objective Domain

Describe the benefits and usage of:

• Compare compute types, including container instances, virtual machines,
and functions.
• Describe virtual machine options, including virtual machines (VMs),
virtual machine scale sets, virtual machine availability sets, and Azure
Virtual Desktop.
• Describe resources required for virtual machines.
• Describe application hosting options, including Azure Web Apps,
containers, and virtual machines.
• Describe virtual networking, including the purpose of Azure Virtual
Networks, Azure virtual subnets, peering, Azure DNS, VPN Gateway, and
ExpressRoute.
© Copyright Microsoft Corporation. All rights reserved.
•
Azure compute services

Azure compute is an on-demand computing service that provides

computing resources such as disks, processors, memory, networking, and
operating systems.

Virtual App Container Azure Azure Virtual

Machines Services Instances Kubernetes Desktop
Services (AKS)

© Copyright Microsoft Corporation. All rights reserved.

Azure virtual machines

Azure Virtual Machines (VM) are software

emulations of physical computers.
• Includes virtual processor, memory, storage,
and networking.
• IaaS offering that provides total control and
customization.

© Copyright Microsoft Corporation. All rights reserved.

VM scale sets

Scale sets provide a load-balanced opportunity

to automatically scale resources.
• Scale out when resource needs increase.

• Scale in when resource needs are lower.

© Copyright Microsoft Corporation. All rights reserved.

VM availability sets

© Copyright Microsoft Corporation. All rights reserved.

Exercise – Create a Virtual Machine

Create a virtual machine in the

Azure Portal, connect to the
virtual machine, install the web
server role, and test.

1. Create the virtual machine.

2. Install the web server
package.

© Copyright Microsoft Corporation. All rights reserved.

Azure Virtual Desktop

Azure Virtual Desktop is a desktop and app

virtualization that runs in the cloud.
• Create a full desktop virtualization environment
without having to run additional gateway servers.
• Reduce risk of resource being left behind.

• True multi-session deployments.

© Copyright Microsoft Corporation. All rights reserved.

Azure Container Services
Azure Containers are a light-weight, virtualized environment that does not
require operating system management, and can respond to changes on
demand.
Azure Container Instances: a PaaS offering that runs a
container or pod of containers in Azure.

Azure Container Apps: a PaaS offering like container

instances that can load balance and scale.

Azure Kubernetes Service: an orchestration service for

containers with distributed architectures and large volumes of
containers.
© Copyright Microsoft Corporation. All rights reserved.
Azure Functions

Azure Functions: a PaaS offering that supports serverless

compute operations. Event-based code runs when called
without requiring server infrastructure during inactive periods.

© Copyright Microsoft Corporation. All rights reserved.

Comparing Azure compute options

Virtual machines Virtual Desktop Containers

Cloud based server that supports either Provides a cloud based personal Lightweight, miniature environment
Windows or Linux environments. computer Windows desktop experience. well suited for running microservices.

Dedicated applications to connect and

Useful for lift-and-shift migrations to the Designed for scalability and resiliency
use, or accessible from any modern
cloud. through orchestration.
browser.

Applications and services are packaged

Multi-client login allows multiple users
Complete operating system package, in a container that sits on-top of the
to log into the same machine at the
including the host operating system. host operating system. Multiple
same time.
containers can sit on one host OS.

© Copyright Microsoft Corporation. All rights reserved.

Azure App Services

Azure App Services is a fully managed platform to

build, deploy, and scale web apps and APIs quickly.
• Works with .NET, .NET Core, Node.js, Java, Python,
or php.
• PaaS offering with enterprise-grade performance,
security, and compliance requirements.

© Copyright Microsoft Corporation. All rights reserved.

Azure networking services
Azure Virtual Network (VNet) enables Azure resources to
communicate with each other, the internet, and on-premises
networks.
• Public endpoints, accessible from anywhere on the
internet
• Private endpoints, accessible only from within your
network
• Virtual subnets, segment your network to suit your needs
• Network peering, connect your private networks directly
together

© Copyright Microsoft Corporation. All rights reserved.

Walkthrough – Configure network access

Configure public access to the

virtual machine created earlier.

1. Verify currently open ports.

2. Create a network security
group
3. Configure HTTP access (port
80)
4. Test the connection.

© Copyright Microsoft Corporation. All rights reserved.

Azure networking services: VPN Gateway
VPN Gateway is used to send encrypted traffic
between an Azure virtual network and an on-
premises location over the public internet.

© Copyright Microsoft Corporation. All rights reserved.

Azure networking services: Express Route
Express Route extends on-premises networks into
Azure over a private connection that is facilitated by
a connectivity provider.

© Copyright Microsoft Corporation. All rights reserved.

Azure DNS

• Reliability and performance by • Customizable virtual networks

leveraging a global network of allow you to use private, fully
DNS name servers using Anycast customized domain names in
networking. you private virtual networks.
• Azure DNS security is based on • Alias records supports alias
Azure resource manager, record sets to point directly to an
enabling role-based access Azure resource.
control and monitoring and
logging.
• Ease of use for managing your
Azure and external resources
with a single DNS service.
© Copyright Microsoft Corporation. All rights reserved.
Storage

© Copyright Microsoft Corporation. All rights reserved.

Storage - Objective Domain

Describe the benefits and usage of:

• Compare Azure storage services.
• Describe storage tiers.
• Describe redundancy options.
• Describe storage account options and storage types.
• Identify options for moving files, including AzCopy, Azure Storage
Explorer,
and Azure File Sync.
• Describe migration options, including Azure Migrate and Azure Data Box.

© Copyright Microsoft Corporation. All rights reserved.

Storage accounts

• Must have a globally unique

name
• Provide over-the-internet access
worldwide
• Determine storage services and
redundancy options

© Copyright Microsoft Corporation. All rights reserved.

Storage redundancy

Redundancy configuration Deployment Durability

Locally redundant storage (LRS) Single datacenter in the primary region 11 nines
Zone-redundant storage (ZRS) Three availability zones in the primary region 12 nines
Geo-redundant storage (GRS) Single datacenter in the primary and secondary 16 nines
region
Geo-zone-redundant-storage Three availability zones in the primary region and 16 nines
(GZRS) a single datacenter in secondary region

© Copyright Microsoft Corporation. All rights reserved.

Azure storage services
Azure Blob: optimized for storing massive amounts of
unstructured data, such as text or binary data.

Azure Disk: provides disks for virtual machines,

applications, and other services to access and use.

Azure Queue: message storage service that provides

storage and retrieval for large amounts of messages,
each up to 64KB.
Azure Files: sets up a highly available network file
share that can be accessed by using the Server Message
Block protocol.
Azure Tables: provides a key/attribute option for
structured non-relational data storage with a schema-
less design. © Copyright Microsoft Corporation. All rights reserved.
Storage service public endpoints

Storage service Public endpoint

Blob Storage https://<storage-account-
name>.blob.core.windows.net
Data Lake Storage https://<storage-account-
Gen2 name>.dfs.core.windows.net
Azure Files https://<storage-account-
name>.file.core.windows.net
Queue Storage https://<storage-account-
name>.queue.core.windows.net
Table Storage https://<storage-account-
name>.table.core.windows.net

© Copyright Microsoft Corporation. All rights reserved.

Azure storage access tiers

Hot Cool Cold Archive

Optimized for Optimized for Optimized for
Optimized for
storing data storing data storing data
storing data
that is accessed that is that isthat is rarely
frequently. infrequently infrequently
accessed and
accessed and accessed and
stored for at
stored for at stored for at
least 180 days
least 30 days. least 90 days.
with flexible
latency
requirements.
You can switch between these access tiers at any time.

© Copyright Microsoft Corporation. All rights reserved.

Exercise - Create a storage blob

Create a storage account with a

blob storage container. Work with
blob files.
1. Create a storage account.
2. Create a blob container.
3. Upload and access a blob.

© Copyright Microsoft Corporation. All rights reserved.

Azure Migrate

• Unified migration platform

• Range of integrated and
standalone tools
• Assessment and migration

© Copyright Microsoft Corporation. All rights reserved.

Azure Data Box

• Store up to 80 terabytes of data.

• Move your disaster recovery
backups to Azure.
• Protect your data in a rugged
case during transit.
• Migrate data out of Azure for
compliance or regulatory needs.
• Migrate data to Azure from
remote locations with limited or
no connectivity.

© Copyright Microsoft Corporation. All rights reserved.

File management options

AzCopy Azure Storage Explorer Azure File Sync

Graphical user interface Synchronizes Azure and on premises

Command line utility
(similar to Windows Explorer) files in a bidirectional manner

Copy blobs or files to or from your Compatible with Windows, MacOS, and Cloud tiering keeps frequently accessed
storage account Linux files local, while freeing up space

Rapid reprovisioning of failed local

One-direction synchronization Uses AzCopy to handle file operations
server (install and resync)

© Copyright Microsoft Corporation. All rights reserved.

Identity, Access, and Security

© Copyright Microsoft Corporation. All rights reserved.

Identity, Access, and Security - Objective Domain

Describe the benefits and usage of:

• Describe directory services in Azure, including Microsoft Entra ID and
Microsoft Entra Domain Services.
• Describe authentication methods in Azure, including single sign-on (SSO),
multifactor authentication (MFA), and passwordless.
• Describe external identities and guest access in Azure.
• Describe Entra Conditional Access.
• Describe Role Based Access Control (RBAC).
• Describe the concept of Zero Trust.
• Describe the purpose of the defense in depth model.
• Describe the purpose of Microsoft Defender for Cloud.
© Copyright Microsoft Corporation. All rights reserved.
Microsoft Entra ID

Microsoft Entra ID is Microsoft Azure’s cloud-based identity and access

management service.
• Authentication (employees sign-in to access resources).
• Single sign-on (SSO).
• Application management.
• Business to Business (B2B).
• Device management.

© Copyright Microsoft Corporation. All rights reserved.

Microsoft Entra Domain Services

• Gain the benefit of cloud-based domain services without managing domain

controllers
• Run legacy applications (that can’t use modern auth standards) in the
cloud
• Automatically sync from Microsoft Entra ID
© Copyright Microsoft Corporation. All rights reserved.
Compare Authentication and Authorization

Authentication Authorization
 Identifies the person or service  Determines an authenticated
seeking access to a resource. person’s or service’s level of
 Requests legitimate access access.
credentials.  Defines which data they can
 Basis for creating secure identity access, and what they can do
and access control principles. with it.

© Copyright Microsoft Corporation. All rights reserved.

Multi-Factor Authentication
Provides additional security for your identities by requiring two or more
elements for full authentication.
• Something you know  Something you possess  Something
you are

© Copyright Microsoft Corporation. All rights reserved.

Microsoft Entra External ID B2B

© Copyright Microsoft Corporation. All rights reserved.

Azure AD External Identities B2C

© Copyright Microsoft Corporation. All rights reserved.

Conditional Access

Conditional Access is used to bring signals together, to make decisions, and

enforce organizational policies.

• User or Group Membership

• IP Location
• Device
• Application
• Risk Detection

© Copyright Microsoft Corporation. All rights reserved.

Role-based access control

• Fine-grained access management.

Microsoft Entra ID
• Segregate duties within the team
and grant only the amount of access
to users that they need to perform
Azure their jobs.
subscription
User Apps User groups • Enables access to the Azure portal
Resource group
and controlling access to resources.
Resource group

© Copyright Microsoft Corporation. All rights reserved.

Zero Trust

© Copyright Microsoft Corporation. All rights reserved.

Defense in depth
Physical Security

• A layered approach to securing Identity & Access

computer systems. Perimeter
• Provides multiple levels of protection. Network
• Attacks against one layer are isolated
Compute
from subsequent layers.
Application

Data

© Copyright Microsoft Corporation. All rights reserved.

Microsoft Defender for Cloud

Microsoft Defender for Cloud is a monitoring service that provides threat

protection across both Azure and on-premises datacenters.

• Provides security
recommendations
• Detect and block malware
• Analyze and identify potential
attacks
• Just-in-time access control for
ports

© Copyright Microsoft Corporation. All rights reserved.

Knowledge Check

Which one?
Populate with instructions to use
the polling tool of your choice A). Azure
Portal
Learning Path 2 B). PowerShell
C). Local Tool
1. Use your Smartphones or Mobile
Devices
2. Go to (insert polling app link of your
choice)
3. Enter Code: 123-45-678
4. Please participate in the quiz for this
section

© Copyright Microsoft Corporation. All rights reserved.

Learning Path 02 Review

• Physical and management infrastructure

of Microsoft Azure
• Compute and networking services
• Storage services
• Identity, access, and security

Microsoft Learn Modules

(docs.microsoft.com/Learn)

© Copyright Microsoft Corporation. All rights reserved.