AZ-900 Azure Fundamentals Study Cram (2025 Updated) - Pass the Exam in 2 hours!

Summary

Dive into Azure Fundamentals with Luke J Byrne in his comprehensive AZ-900 cram session designed to prepare you for the certification exam in just two hours. This video breaks down essential Azure concepts, touching on cloud computing, shared responsibility models, cloud services, Azure architecture, identity, and governance. Each segment is dissected into digestible parts to help you understand, retain, and apply your knowledge effectively for the exam.

Highlights

• Luke J Byrne demystifies Azure AZ-900 in two hours! 📚
• Explore key components of Azure architecture and services. 🏗️
• Learn about cloud computing and its different models: Public, Private, and Hybrid. ☁️
• Understand the shared responsibility model in cloud services. 🔧
• Delve into Azure's cost management and monitoring strategies. 💰
• Discover Azure’s identity and access management with Entra ID. 🔐

Key Takeaways

• Power through Azure AZ-900 exam with Luke's two-hour blitz! 🕒
• Understand Azure's three main modules: Cloud concepts, Governance, and Identity. 🧩
• Learn how cloud computing delivers compute services over the Internet using massive data centers. 🌐
• Explore Azure's shared responsibility model with SaaS, PaaS, and IaaS. 🔄
• Discover Azure's physical architecture with regions and availability zones. 🗺️
• Familiarize with Azure's management tools and governance, like cost management and Azure Policy. 📜

Overview

Luke J Byrne kicks off this AZ-900 Azure Fundamentals study cram by focusing on the three essential modules needed to excel in the exam. He starts by explaining cloud computing basics and illustrates how these services are delivered through vast networks of data centers, making it easy to access compute resources globally.

Moving on, Luke dives into Azure's managed architecture, covering the shared responsibility model which distinguishes between SaaS, PaaS, and IaaS. He highlights the importance of understanding Azure's infrastructure, including regions and availability zones, which ensure reliability and scalability.

The session wraps up with a thorough overview of management tools available in Azure. Luke emphasizes cost management strategies, Azure Policy for governance, and identity management with Entra ID, providing valuable insights into maintaining secure and efficient cloud environments.

Chapters

• 00:00 - 00:30: Introduction to AZ-900 The chapter provides an introduction to AZ-900 and aims to help readers pass the exam efficiently.
• 00:30 - 10:00: Understanding Cloud Computing Cloud computing is the delivery of computer services over the Internet. It involves using another computer's resources via an internet connection to perform tasks, rather than relying on the local device's computing capabilities. Essentially, when engaging in cloud computing, one is utilizing someone else's computer over the Internet for various computational activities.
• 10:00 - 15:00: Describing Cloud Benefits The chapter titled 'Describing Cloud Benefits' covers the concept of big data centers which house numerous computers, as opposed to personal computers in homes. It introduces the shared responsibility model and explains the three types of cloud services: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). In IaaS, the infrastructure is provided to the user, akin to providing a computer for use.
• 15:00 - 18:00: Describing Cloud Services Types The chapter 'Describing Cloud Services Types' explains the different types of cloud services available, focusing on the responsibilities of the user and the provider. It mentions having a service without an operating system, where the user is responsible for all software and maintenance except for hardware issues, which are the provider's responsibility. It also introduces 'Software as a Service' (SaaS), where a complete software package is provided. In SaaS, while the software maintenance is handled by the service provider, managing the data and access remains the user's responsibility.
• 18:00 - 23:00: Azure Architecture Overview The 'Azure Architecture Overview' chapter explores Platform as a Service (PaaS), describing it as a middle ground between other service models. It emphasizes the concept of shared responsibility, with a specific focus on application management, networking control, and access management. Responsibility is delineated in terms of who manages applications, controls network access, and handles accounts and identities.
• 23:00 - 28:00: Compute and Networking (Part 1) The chapter 'Compute and Networking (Part 1)' introduces cloud models, explaining public, private, and hybrid clouds. It discusses how a public cloud is used via platforms like Azure, where users can purchase resources such as virtual machines. The responsibility of data management in different cloud models is emphasized.
• 28:00 - 33:00: Compute and Networking (Part 2) The chapter discusses the concept of hybrid cloud, where both private and public cloud environments are used. It highlights the flexibility of using multiple cloud platforms like Azure, AWS, and Google Cloud Platform (GCP), allowing organizations to designate which data or applications remain private and which can be public. The narrative exemplifies how teams can utilize different cloud services tailored to their specific needs, such as using a pre-existing data analytics platform spread across different cloud providers.
• 33:00 - 40:00: Azure Storage Overview The chapter titled 'Azure Storage Overview' discusses the use of Azure in the context of a multicloud strategy. It mentions Azure Arc, a service that extends Azure's platform capabilities to different environments, providing hybrid and multicloud management solutions. This is highlighted as a fundamental aspect of understanding Azure's role in diverse IT infrastructures.
• 40:00 - 45:00: Identity and Access Management This chapter discusses VMware Solutions as part of Identity and Access Management, focusing on how VMware serves as a virtual machine platform. It explains the basic concept of virtual machines (VMs), where physical machine resources are virtualized into independent entities acting as standalone machines. The narrative highlights VMware's popularity in facilitating VMs and briefly mentions Azure's capabilities in conjunction with VMware solutions. The integration of VMware within systems allows for more efficient resource management and deployment strategies in the context of Identity and Access Management.
• 45:00 - 50:00: Authentication Methods and External Identities This chapter discusses the concept of virtualization in the context of Azure, emphasizing the ease with which virtual components can be moved between local computers and Azure's cloud infrastructure due to its inherent virtualization features. The chapter also introduces the consumption-based model, focusing on the distinction between capital expenditure (capex) and operational expenditure (Opex).
• 50:00 - 57:00: Identity and Security Overview The chapter titled 'Identity and Security Overview' explains the difference between operating expenditure (Opex) and capital expenditure (Capex) using examples. Capex is described as investments, such as buying a computer or a new roof for a house. Opex, on the other hand, involves regular expenses like hiring a window cleaner. The chapter connects these concepts to cloud computing, emphasizing the consumption-based model typical in cloud services.
• 57:00 - 63:00: Cost Management in Azure The chapter discusses the concept of cost management in Azure, highlighting the pay-as-you-go model commonly used in cloud computing. This model allows users to only pay for the resources they consume, referred to as operational expenditure, rather than upfront costs. The flexibility of this model means users can opt for private cloud solutions with specific resources, but the core idea remains - users pay only for what they use, comparable to paying a service fee each time a service is provided.
• 63:00 - 69:00: Governance and Compliance This chapter begins with an introduction to cloud computing as a method for renting computing power and storage from external data centers, essentially using remote computers. The focus is on understanding this concept within the context of governance and compliance in cloud systems.
• 69:00 - 74:00: Managing and Deploying Resources This chapter discusses high availability as a crucial component of managing and deploying resources in Azure. It covers Service Level Agreements (SLAs) which provide uptime guarantees for each service line, ensuring that services are available as much as possible. The chapter emphasizes the importance of making services highly available, meaning accessible to users all the time. Each service within Azure comes with a minimum guaranteed uptime, highlighting commitment to service reliability.
• 74:00 - 78:00: Monitoring in Azure This chapter covers the advantages of cloud computing in terms of reliability and scalability, specifically focusing on Azure's capabilities. It mentions the high availability of services, described as operating 99.9999% of the time. It also highlights the flexibility of the pay-as-you-go model in cloud computing, which allows businesses to scale their resources up or down based on demand. This means that costs are optimized since users only pay for the resources they consume when they experience increased customer traffic.

AZ-900 Azure Fundamentals Study Cram (2025 Updated) - Pass the Exam in 2 hours! Transcription

• 00:00 - 00:30 welcome to T Tech my name is L and I am going to Blitz azed 900 so that you can pass the exam in as little time as possible now the a900 it has essentially three main modules describing the cloud describing the architect and describing the management now each of these is then Splinter units so three in that one four on that four in that one so what we're doing is we've broken it out into this m map and we're just going to Blitz the concepts today we're first looking at driving cloud computing let's get into
• 00:30 - 01:00 it so what is cloud computing essentially it's just delivering Compu Services over the Internet you're watching this on a device right now that device has a computer in it or it is a computer now when you go and do cloud computing what that actually means is you are accessing compute resources over the Internet meaning you are essentially using someone else's computer over an internet connection to to access it to get it to do stuff now these computers
• 01:00 - 01:30 they're not just normally people's machines sitting in their house like yours they're in these big massive data centers which is just a big massive building or Warehouse type of thing which has a bunch of computers in it and that's essentially it next up shared responsibility model so these three flavors are software as a service platform as a service infrastructure as a service infrastructure as a service you are getting the infrastructure provided in that set so basically they're like here's my computer you can
• 01:30 - 02:00 use it with no operating system or anything you then have to bring your own operating system on it or download one and blah blah blah so you're now responsible for everything other than the computer itself as in if the pill dies or something that's azure's responsibility or Microsoft but everything else is pretty much yours the other side of that is you get software as a service which is where you get the entire software package to use as a service now that's everything up until the application which then just means that all your data and stuff that's on and who accesses it that's then your resp responsibility but they're giving
• 02:00 - 02:30 you the software to then use in the middle of that is platform as a service which is kind of like halfway between each there's a bit of a shared responsibility which is uh branched over more parts here as you can see so the applications that are on the platform that's kind of your responsibility the networking control so who can come in and out Etc and then this stuff at the top which is the access so the accounts and identities of people that can access the stuff the es and the information and
• 02:30 - 03:00 data on it they're always your responsibility so next up let's look at Cloud models so you get the public Cloud private Cloud hybrid Cloud public cloud is basically when you go into Azure and you want to just buy some resources to use like a virtual machine or something that's the public Cloud you're just going on part of the Public butom Public Access you can do it private Cloud this is where you're not
• 03:00 - 03:30 part of the public so you can have private agreements on what you can use what you can't use this is mine that's mine blah blah blah right Hy Cloud a mix of both so you can have some of your stuff which is like agreed with Azure this is mine don't let anyone touch it blah blah blah and then other stuff you I don't really care I always about public now so you want to use more than just aure you could use AWS or gcp which are Cloud platforms from Amazon and Google perspectively Now you can have some stuff from each of these so say like you know your team already has an existing data analytics platform within
• 03:30 - 04:00 Google then you can also use Azure if you really want to if you have better cost and or services that you want and then that's called multicloud now you can use this thing called Azure Arc which as it says is a bridge that extends the Azure platform to your environments now if we go to the Azure Arc website here so Azure Arc you can see that it says hybrid and multicloud management so basically that's all you need to know for the fundamentals
• 04:00 - 04:30 there's also VMware Solutions VMware is a virtual machine Weare so you have your physical machine right now that physical machine is made up of resources virtual machine is virtualizing these resources into like a little bit which is like its own machine that's basically how you can think of it and VMware is a popular way to use Virtual machines or to enable virtual machines within your machine and a vmw solution is azure have capabilities to
• 04:30 - 05:00 kind of extend that virtualization such that it's part of azure basically meaning you can either quickly move it so the virtual components that you're using you can move them from your computer up into Azure or you can use that and extend it up into Azure because it's so virtualized anyway so that's Cloud models next up is we have to understand the consumption based model so the main thing you need to know for this really is capex versus Opex capex is capital
• 05:00 - 05:30 expenditure Opex is operating expenditure you can think of capital expenditure capex as Investments you go and you buy a computer that's CeX you go and I don't know buy a a a new roof for your house that's capex but say you want a window cleaner to come you want to come every quarter every month that's Opex that's operational expenditure in the same way with the cloud the reason this consumption based model is that is
• 05:30 - 06:00 because it's generally pay as you go in the cloud right not I say generally because you can choose to not do this if you want to you know do some private Cloud stuff and have the specific set of resources for you but in any case consumption based is you only pay for what you use which means that you do this operational expenditure you don't pay an entire Year's worth of salary to the windows cleaner window cleaner Windows cleaner you pay every time it comes right which is whenever you want
• 06:00 - 06:30 them to be there and so basically to leave on this or to end on this cloud computing is a way to rent compute power and storage from someone else's data center which is just a computer welcome to in Tech my name is l and I'm going to get you to pass the AZ 900 as your fundamentals exam as soon as possible last time we spoke about describing cloud computing which was the first unit of the first module we're going to cover the second unit of this first module which is benefits so let's zoom in no BL
• 06:30 - 07:00 this High availability so each service line has an uptime guarantee as part of their SLA which is a service line agreement basically High availability means you want your services to be available as much as possible highly available now that just simply means that you want people to be able to access them all the time and each service within Azure has a minimum guaranteed amount that it will be available and most of the time it's like
• 07:00 - 07:30 99.9999% of the time which is a lot of the time next up scalability this is just adjusting to meet demands and it's a benefit from the pay as you go model so if we talked about here in cloud computing is that Opex is essentially pageo now because you're only paying as you need it when you have more customers coming to access your website and you now need to handle more of these customers you can just scale up your website pay for that then scale it back
• 07:30 - 08:00 down and then you're only paying for this much that's it you get two different types of scaling you get vertical scaling and you get horizontal scaling horizontal scaling would be like my machine can't handle it let me add another machine vertical scaling would be my machine can't handle it let me upgrade my machine essentially that's it next up reliability so reliability is ability of a system to recover from failures and continue to function so High availability is just like will it
• 08:00 - 08:30 be there all the time reliability is if it breaks can we get it back up so from the decentralized across region design of the cloud so the cloud is designed to be reliable because if something fails it should be backed up somewhere else now you as a customer as a consumer are partly responsible for this because you have to enable it often right some Services you don't have to but sometimes you have to enable it to say that
• 08:30 - 09:00 if this virtual machine breaks I want it to be backed up in another region and that will sort you out so next up is predictability so as i' had spoken about with scaling for instance you get performance prediction so you can Autos scale you can do a thing called load balancing which is basically you can imagine if I had five computers and have one guy coming in who's it go to doesn't matter if I have 10 guys going in it now matters because maybe one computer can only handle so say three I can't give
• 09:00 - 09:30 all 10 to one computer so I'll try and give two to each to balance out now the next thing here is cost cost prediction now you can track in real time that's one of the benefits of the cloud and you can then leverage this data by using data analytics to then try and figure out when could I you know predict spikes so that I can try and prepare for them so maybe I don't have to pay for stuff to spin up all the time I can try and predict it by spinning them up just
• 09:30 - 10:00 beforehand blah blah blah right now you can also do this by using the pricing calculator within Microsoft or you can use like total cost of ownership but that's another type of price calculator next up is governance so things like set temp PLS they can help you ensure deployed resources meet corporate standards and government regulatory requirements for instance you get this thing policy as code right so you get Azure policies which you can then review to make sure that you're to date with
• 10:00 - 10:30 the most recent regulations and guidelines Additionally you can update all your deployed resources to new stands as they change now cloud-based auditing helps flag any resource that's out of compliance for example using policies now security and governance both of these have benefits when using software as a service because if we go back up here to the sh responsibility model and so you can see here the op operating system and network controls
• 10:30 - 11:00 are managed by Microsoft now you can be pretty sure that the team at Microsoft who manage specific network controls or specific operating systems are probably more up to date with the security and governance than you are right next up for security cloud services are well suited to handle things like dods attacks dos is distributed denial of service and what that means is essentially the services that you're trying to provide say website are denied because some guy has
• 11:00 - 11:30 made a bot for instance which sends out loads of requests to your website so say your website can only handle 10 requests this is completely unrealistic but you get the gist say it can handle 10 requests this bot will spoof a bot to make a bunch of like I don't know 50 requests because then suddenly as soon as it hits your computer it's done for it's done well cloud services are been made to work within the internet as we said it's just accessing someone's data center through the internet so they're
• 11:30 - 12:00 highly tuned to defend against attacks such as these now finally we have manageability we have manageability of the cloud and we have manageability in the cloud so of the cloud is things like automatically scaling resources as you need deploying resources based on preconfigured templates mon on health of resources and automatically replacing failed resources receiving automatic a basing figured metrics right so you can
• 12:00 - 12:30 always be aware of performance in real time so this is how you're managing the cloud right or your Cloud resources for in the cloud we have four different kinds the portal P shell apis and CLI so first is the web portal this is what you'll use when you're accessing the URL so most people will be interacting with Azel like this just kind of noobs essentially right po shell a apis and CLI these are programmatic
• 12:30 - 13:00 ways to do it so this is just using the website these are using some degree of programming so you get pebbl shell which is essentially like if you imagine a coding language built on top of a CLI CLI basically being this here like a command line so CLI means command line interface and this is just another way of interacting with your operating system for example so instead of using
• 13:00 - 13:30 file explorer you can just open up this text based view of your kind of operating system of your computer and interact with it that way so P shell is like that but plus a programming language so you can download programming languages onto it and then you can it's optimized for efficiency Etc right and it's only on Windows Next Up apis application programming interfaces so this is where you write code which can then access Azure services is via just writing a
• 13:30 - 14:00 specific function or bit of code which calls it so you can imagine if you're very new to this that the application has a doorway and you're coding to get into that doorway so you can use the app finally CLI as we've spoken about it is just command line interface it's just a way to interact via writing things on this command line welcome to in Tech my name is looke and I'm going to get you you to pass the azed 900 as your
• 14:00 - 14:30 fundamentals exams as soon as possible so in the previous episode we covered the first module first unit first module second unit and now finally it's the first module third unit which is describing cloud services and types so it's really just a continuation of our kind of shared responsibility where we spoke about SAS pass and IAS briefly what they are is AAS is as a service so you get software as a service SAS
• 14:30 - 15:00 platform as a service pass infrastructure as a service I and so what they are in short is Ias is simply providing infrastructure as a service so you can buy the use of infrastructure it would be like me renting you my laptop software as a service would be like me letting you run your own Facebook as a service right and then platform as a service is the middle ground in there right my example that I give is GitHub
• 15:00 - 15:30 if you don't know what that is it's a place to store code and to run code against that code but basically they're just giving you the framework so kind of they're giving you like they're giving you essentially like a ring binder and you still have to put the pages in type of thing right and so essentially it's for running and maintaining applications as opposed to being an application and an of itself so if we come all the way down here describe these close types so
• 15:30 - 16:00 your is this is optimized or these are optimized for lift and shift migrations which is essentially where you would have your on Prem data center right and you're wanting to basically move that into the cloud and so instead of physically lifting the boxes and carrying them into someone else's data center you'll just like right I need this stuff but in your Cloud exactly as it is because often what you should do if you're moving to the cloud is re architect it because things the cloud offers things and services
• 16:00 - 16:30 which you could leverage for often cost and security optimizations they're also best for test and development environments so for IAS you can just bring up some infrastructure and then you can run your code on it as you need and then tear it back down and then bring it back up Etc such as using things like terraform which we have videos about they're best for testing Dev next up we have platform as a service so we don't have to worry about licensing or patching so like with
• 16:30 - 17:00 Windows right you'd normally have to have a Windows license if you're doing this infrastructure as a service you would have to bring your own license for example using a lift and shift right and you would have to worry about patch and operating system to make sure it was up to date don't have to do that with pass it's kind of like best for a development place but without the infrastructure overhead so without this for example it's also good for analytics or business intelligence and that's where you're basically trying to M through data so
• 17:00 - 17:30 you're looking through data to try and predict the future or you know forecast sales for example finally we have SAS software as a service this is best for if you're wanting to use an app for example emails Outlook messaging apps teams Finance tracking you know that's different stuff I put Finance tracking in there because often in the exam I asks you about that but anyway that is describing the cloud service types and that is us included the cloud Concepts
• 17:30 - 18:00 module welcome I'm look at Cloud consultant and today it's unit four of our study cram for azed 900 which is the Azure fundamentals previously we've covered Cloud Concepts describe benefits and the service types today we're moving on to Azure architecture specifically we're going to talk about the core architecture of azure so start us off what is azure well continually expanding set of cloud services it's currently over 100 they
• 18:00 - 18:30 help you meet current and future business challenges so when you set up an Azure account you'll see there's a variety of layers here so first you have the account which you create an account can have multiple subscriptions which are logically distinct parts and within each of these subscriptions you can have a bunch of resource groups which can then have a bunch of resources that's just a basic structure now to get an account you can get it via Azure via a Microsoft rep or a Microsoft partner you can also get a free account so this is
• 18:30 - 19:00 normally just via Azure and you get a normal free one or a student one you can see here they have different service offerings essentially for a free account you get credits which you can have for 30 days it's like $200 25 always free products and free access popular products for a year and for the student one you get certain Services free for 12 months credits for the 12 months and some Dev tools and then for your development you also have here a Sandbox account which is a essentially an
• 19:00 - 19:30 account where you can go on and run stuff and make stuff and do things without having to pay for it you can get that you can see that here that's at that learn. microsoft.com you can just follow the azed 900 course which I'll put in the description you can see it there so that's the account architecture the physical architecture the infrastructure so we have these different components here we have regions we have availability zones and then we have the region pair concept so
• 19:30 - 20:00 an Azure region is a designated area for instance you get us West Us East UK South you get you know a variety of regions and these are a logical grouping of one or more availability zones an availability Zone you can think of it as a specific data center we'll get on to it later but you want multiple availability zones if you want to have a highly available application and a region pair is just two regions which are ped together for Disaster Recovery
• 20:00 - 20:30 purposes so these s az1 and az2 you might replicate stuff between here for high availability but to go that extra step to really ensure you want to then put it on another region we'll get to it a bit but essentially it's so that then if this one fails you get this one as back up now aure services that support azs fall into either zono so they're stuck to a region Zone redundant so they're across zones or nor Regional region pair examples West us
• 20:30 - 21:00 and East UK for extensive outage planed Azure updates blah blah blah now you also get Sovereign regions so think of here as like China or US government and these are isolated for obvious reasons compliance and legal now final part of the core infrastructure is the Azure management infrastructure so we vaguely talked about that up here the account architecture but we go over it a bit more depth here so you have resource groups which is essentially a group of
• 21:00 - 21:30 resources so it's an easy way so if you're making an app say you could keep all of the resources for the app in one group you could always manage them and find them that way you can also then inherit you can see here actions or settings and inherited by current and future resources meaning then if you want someone to have access to the whole app stack you just give them access to the resource Group and a resource Group is one or more resources next up you have your Azure account with these subscription now subscriptions they give you billing
• 21:30 - 22:00 boundaries and access control boundaries so you could have only a set number of people in Dev and test and in production that's a nice normal way to break up your subscriptions for companies finally we have this thing called a management group so you can see here that within a Management Group you can have other management groups which can then have subscriptions or you can have other subscriptions so you can see at this lay here this is the Management Group subscriptions a key now why to create a hierarchy that
• 22:00 - 22:30 applies a policy or provide user access to multiple subscriptions so here you could want one person in a specific region to have these subscriptions another person this one and a way to logically group these together is to leverage this Management Group structure again the same for here you could want someone to have the whole of it so they could have this entire thing now key facts you might need to know for the exam 10,000 management groups can be supported in a single go directory and a Management Group tree can support up to
• 22:30 - 23:00 six levels in depth excluding the route in the subscription so in this example here that's a three depth that's the bottom top and three in between and each group and sub can support only one parent so it can only be in one here for example so there we go that's core a infrastructure come back next time for compute and networking hope you enjoyed so the first thing we have to know about computer networking is what is a vulture machine it is like a machine like a laptop but it's just virtual in that
• 23:00 - 23:30 it's in the cloud now when you're creating one in the Azure portal you can select the size the diss the networking the operating system Etc now this provides infrastructure as a service because it's like getting a laptop but in the cloud sour it's infrastructure now these are optimized for lift and shift migrations so if you were to then lift stuff from a data data center so for a company and move it into the cloud you can just re create virtual machines in the cloud they're the same as the on Prime virtual machines so they're ideal
• 23:30 - 24:00 when you want total control over the operating system running custom software or hosting configurations so with virtual machines you might want to scale them up if you have the demand now these can be scaled in two ways using availability sets or scale sets the main difference here is a scale set it's the same virtal machine scaled out so it supports Auto scaling so when you want more than one to automatically come in
• 24:00 - 24:30 if you have the demand and then back down again on the other side availability sets they can have a variety of different sizes but because of this there's no Auto scaling support now also availability sets there's no AZ which is availability Zone support it's only Regional for skill sets Regional or AZ now within your availability set you can have them within a fult domain and or an upgrade domain so a fault domain
• 24:30 - 25:00 is that your virtual machines within the scale set are within physically distinct Parts such that if there was a fault in one it wouldn't affect the other so for instance they could be plugged into different Power sockets upgrade domain is more of a logical grouping so they might all be in the same power socket they might be within the same fault domain but they're going to be upgraded at different times such that if say windows roll out an upgrade it doesn't affect all vulture machines at once that
• 25:00 - 25:30 it maybe hits one of them and that starts upgrading which your other ones run in the background so when to use your vulture machines during testing Dev when running apps and when extending your data center or during Disaster Recovery next up we have virtual desktop which is exactly what it sounds desktops that you can access virtually so like this here windows it's that but you can access it globally anywhere and normally you would do that via HTTP or HT DPS which is just up here you would see it
• 25:30 - 26:00 if we put it at the beginning you see that's just a protocol for the internet it has an enhanced feature for security because it leverages Microsoft entra ID which is like a centralized security thing you might have heard it called active directory it's just a centralized way to manage access and security within Azure now you can do MFA and rback which is what enhances the security here MFA multiactor authentication would be like using your password and an authentication app our back would be
• 26:00 - 26:30 role based access control which is what it sounds like you get assign the role and that role is the basis for Access Control for example if you have a team of developers they'll have a specific role a developer or a specific subset so a specific type of rle you only want them to get access to that one bit give them that role additionally the data and apps are separated from the local hardware because virtual desktop is like
• 26:30 - 27:00 a virtualized abstraction your data is not on that machine or on that laptop it's somewhere else in the data center now with this it lets you use Windows 10 or 11 Enterprise multi session the only Windows client-based OS that enables multiple concurrent users on a single VM so it means that multiple people can access as F or desktop at the same time now next up a bit of more of an EXT abstraction from machines we have
• 27:00 - 27:30 containers now you can think of containers as a virtual machine without the operating system that means it's lightweight and designed to be created scaled out and stopped dynamically one of the most popular container engines is Docker now this is generally used to move something or to create a microservices architecture now a monolithic architecture is one big app for examp example a microservices
• 27:30 - 28:00 architecture is when you would have different containers or different apps which would be running different things such that they can be updated independently or they can be you know changed Etc now within Azure we get container instance container apps and kubal N service container instance is the fastest and simplest way an Azure it is a platform as a service the container apps is an instance but with benefit such as ability to incorporate load balancing
• 28:00 - 28:30 and scaling up again that's platform as a service kubernetes which is actually a container orchestration service now this helps it says manage fleets of containers across the life cycle so we can imagine that here you can run an instance one container see what happens here you can scale that container out if you need it whereas with kubernetes it's much more complex and complicated that it can manage the orchestration which is managing them essentially loads of
• 28:30 - 29:00 containers scaling and Etc so it's just like a big scaled out version of container apps now next up is functions so this is where we're getting now into serverless stuff serverless meaning that you don't have to have specifically or explicitly selected the servs to run things on you can just automatically in the background it deals with say networking so where you may have to in your virtual
• 29:00 - 29:30 machine you have to download Python and you know install stuff blah blah blah and functions you can just add the python code and it would run it right so it's event driven serverless computer the benefits you can code quickly it runs and responds to something so if you have an asual service like a monitoring service and when it notices a specific event it will then trigger this function to run now it scales automatic ically it's pay you go for the CPU that it uses
• 29:30 - 30:00 and it is stateless by default but it can become stateful so durable functions using context so state is essentially stateless means no memory stateful means memory and so you can make your function have memory like remember and stuff if you use context Now for apps themselves here are our app hosting options so we can use Azure app service for web apps mobile
• 30:00 - 30:30 apps logic apps and API apps now we can link in directly from the code so using for instance Azure devops repos or GitHub it allows a variety of coding languages to run here's just an example of some and it always allows for Windows or Linux based apps and so basically for here you have code and you inject it into Azure apps servers via connecting it such as from GitHub and it runs your
• 30:30 - 31:00 app or hosts your app hi I'm look at Cloud consultant and welcome to part two of Compu networking which is unit four of our azed 900 Azure fundamentals cram so in part one of this we talked about the different compute options we're now going to look at networking which is vets including vpns and express route and then DNS so first things first what's a vulture Network it is what it sounds like it is a virtualized networking so we have a bunch of
• 31:00 - 31:30 machines connected each other by cables well in the cloud this is all virtualized so they're not just one machine connected by one cable it's more complicated than that but logically it's just like that just like having a bunch of vult machines that have cables to each other right now why do we use them for isolation and segmentation so we have our original v-net that we'll create and then we have subnets within that so sub networks but the one important thing to realize here is that
• 31:30 - 32:00 private IP ranges can be used for v-ets and subnets so public IP is the IP address that is makes your computer or your service publicly available and accessible via the Internet if you have private IPS then you don't need a globally unique IP because you don't need internet to come and get you so communication how do you connect with and to and between virtual networks so first is the internet this here is a
• 32:00 - 32:30 public IP icon oh there's the cat um so you can access a virtual network via the Internet if you use a public IP next up Azure services so some Azure services will automatically root for example virtual machines and kubernetes other ones you have to use service end points such as like SQL databases and storage accounts now if you want to communicate on Prem you get two options Express rout and VP PN Express rout is essentially a direct
• 32:30 - 33:00 cable between your premises your own Prem and Azure VPN on the other hand goes over the Internet so you can think of the security considerations there and it can be either a sight to site VPN or a point to site VPN a sight to site VPN is from the actual site itself so say from your data center then uses a tunnel straight to aure right whereas a poter site would use a Point not a site so a point would be like a laptop and for that there's
• 33:00 - 33:30 other ways that we can tunnel it through you don't need to know that intricacies for AZ 900 So within Express rout here we have a couple of things you can have a quick read I'll briefly say them out loud security considerations it's never over the on that the features and benefits connectivity to Microsoft cloud services Global connectivity Dynamic ritten via bgp which is a protocol and it's built in redund say a repealing location so how do we connect to Azure
• 33:30 - 34:00 via express RP that's where we have these connectivity models number one collocation at Cloud exchange Cloud exchange is an exchange where Cloud traffic is rooted through if you can collocate your physical servers at this exchange you can then request a virtual cross connect to get that rooted towards Azure now that way you have to go for the internet next is point too ethernet so just a cable between you and and aure then any to any networks so if you
• 34:00 - 34:30 already have a wide area network which is a one W here you can integrate that into aure right finally directly from Express root sites so this is kind of like pointto Point except point to point is usually provided by some third party is directly from Express R is exactly that it is directly from aure now next within VPN you recall we had this site to site and point to site now what is a VPN it uses an encrypted
• 34:30 - 35:00 tunnel within another Network you kicked it and so to connect to your virtual network via a VPN you require a VPN Gateway now because that's a way to connect to your virtual Network you can only have one per vnet and it goes in its own subnet now the VPN types that we have are policy based and root based you can read more about it here but essentially policy based you can imagine that
• 35:00 - 35:30 they're checking every single person that comes through so every single packet which is uh the way that internet is rooted and passed across the internet is through packets which are like small chunks and each of these chunks will have a specific where it's coming from where it's going to what protocol it's using essentially and then the information so for each of these it statically looks at the specific packet and is like right where is this going to go where root based it's much more abstracted and because of that it's more
• 35:30 - 36:00 resilient to topology changes such as creation of new subnets because if things are changed it doesn't have to relook at every single packet and update all these rules it kind of dynamically moves with it right so instead of manually setting policies for each IP the system uses normal routing to send traffic through the relevant tunnels and then encryption happens automatically Within These tunnels so instead of encrypting every single guy that comes in it's it's like right you go into that tunnel you go into that tunnel Now High
• 36:00 - 36:30 availability scenarios so this is where you want to have like a failover VPN Gateway so don't one just one in case something goes wrong you want this High availability so we have active standby which is the default during this failover it will be a few seconds if it's planned or if it's not planned it's supposed to be less than 90 seconds but there is no agreed SLA for that active standby means you deploy two one's active one's just on standby waiting in
• 36:30 - 37:00 case there a failure now you also get active active where both of these guys are active right and so this is leveraging this bgp protocol we previously talked about and because we have two in their active there's an IP address for each of them with separate tunnels from onsite to each so it's like two access points it can also be used as an Express rout failover so if your direct connection doesn't work you can then use use the VPN we can also have Zone redundant gateways which are
• 37:00 - 37:30 automatic for Express routs and VPN gateways and regions that support availability zones so multiple and these gateways require different Gateway stock keeping units skus and use standard public IP addresses instead of basic public IP addresses now this is one to recall for the exam between standard and basic you think of basic as the one provided by the there right so you have a specific public IP and it has no extra
• 37:30 - 38:00 features standard is where it has some of the extra features provided by Azure now next up if we scroll up here we have vet so v-ets to vets now this is called ping and it goes over the Microsoft backbone so over the Azure backbone meaning it's not cross internet and now user defined Roots allow you a control root in between these subnets and vets so between subnets Within different v-ets to talk to one
• 38:00 - 38:30 another so within virtual networking what happens with the network traffic it can be filtered and it can be rooted so filtering normally is between either an NSG which is a network security group or a network virtual Appliance now NSG allows or blocks traffic based on inbound and outbound security rules which include your IP your port protocol so basically you say hellow from this
• 38:30 - 39:00 inbound specific location this or block from this outbound so don't let this specific message leave the virtual Network so if it was something like you don't want anything to do with the internet you want your V to be fully private right you would block traffic out of the network that goes with internet and in now Network virtual appliances instead these are actually just specialized virtual machines for example you get firewall or one
• 39:00 - 39:30 optimization now Rootin you get that via a rooting table so a route table where you go if it's coming from here and it's going here this is the direction needs to go in and this is enabled using the boulder Gateway protocol so this works with Azure VPN gateways Azure root server or Azure express route to propagate on Prem bgp roots to Azure virtual Networks now DNS domain name system so this is essentially your phone
• 39:30 - 40:00 book for the internet if you have a name it then gives you the IP address this is a hosting service for DNS domains provided by Azure the benefits reliability and performance so any cast networking so the closest available DNS server answers each query security is based on Azure resource manager so it uses arback activity logs resource locking Etc ease of use cuz it's just directly
• 40:00 - 40:30 in the portal customizable v-ets with private domains and finally alas records which is like if you had google.com an alas would be t.google.com dev. google.com now these Alias records these are normally used for resources such as traffic manager profiles or CDN endpoint which a Content delivery Network so instead of being like the main source you can have subsources that that you can access instead so if you were like on Netflix instead of going to
• 40:30 - 41:00 netflix.com the actual big netflix.com you can go to CDN which holds some of Netflix's data especially stuff that's been being used right now so for example then the TV show youu comes out right they will have all of the episodes of youu and this CDN which is in the UK because then instead of having to go all the way to America to get the U episodes you can just stream it from the UKC and that maybe be called uk. netflix.com
• 41:00 - 41:30 so if you have an alas for a service instance for example CDN right if you have a CDN service instance this service instance is associated with an IP address and because the Alias points to the service sance if the underlying IP address changes then it's all good and it doesn't have to worry about it now that is us for compute and networking how you doing it's look at Cloud consultant and today it is unit five over a900 fundamentals so in the
• 41:30 - 42:00 first few episodes we covered Cloud Concepts you can check this all on the description then we cover the core architecture of aure Compu and networking and now unit five storage so first things first you have to know what is a storage account a storage account is a unified place for all of your storage needs within AER now to access your storage account it's via HTTP or HT ttps meaning it's just via the internet
• 42:00 - 42:30 via a web browser for example and it is a global Service now you get a variety of types of storage that you can hold within your storage account for example standard general purpose V2 which in here you can hold either files cues tables or blob storage blob storage just means binary large object which is a essentially a binary is what you would get at the end if you've had
• 42:30 - 43:00 code and you've compiled it so you had a python file py and then you've compiled that and turned that into code which you would run on a computer for example like down here one of these icons that's actually a binary that's running not python as such normally right and that's a blob now you get premium file shares now within your sge account you'll get two types of blobs you get your page blobs and your block blobs so your premium page blobs binary large objects
• 43:00 - 43:30 and your block ones a page would be more akin to something like a dis like a hard drive right whereas a block would be more like some some specific unstructured chunk of data for example a file or an image or an MP3 something like that now the letters here you can see at the end will cover later but essentially RS means redundant
• 43:30 - 44:00 storage so your standard general purpose V2 can go in either lrs zrs which means locational or zonal or any of the other ones so anything that's redundancy it can use where's your premium ones these can either use low is it low locally that's it so these letters here after them RS blah blah blah star just meaning all so all redundancy
• 44:00 - 44:30 storage whereas here it's locally redundant all zonal redundant storage we'll get to what they mean in a minute but really what you just need to remember is for standard general purpose the redundancy can be anywhere across the world blah blah blah for page blobs it's only local and for premium failes and premium Block it's lrs or zrs now if you want to connect to any of these you normally would use the htps and this would be what you're going to
• 44:30 - 45:00 type into your url which would be the sage account name doth service. core. windows.net now remember that for the exam core Windows net and the service would be blob DFS file Q or table so now we've looked at storage account let's explicitly look at the storage services so we have these ones here but to be more specific we have files which is a fully managed file share accessible via SMB or NFS or Azure storage rest API now
• 45:00 - 45:30 SMB and NFS are industry standards for file shares but as protocols rest API that's essentially an API is like a doorway to another computer another bit of code right and a rest one the way to imagine it is essentially it just waits for you to ask it something then it'll give you back so it rests until you give it something the key benef benefits shared access scripting and tooling and
• 45:30 - 46:00 familiar programability so if you're used to file shares you already kind of know what to do here next up we have Q's now the Q size is the sa size the storage account size because a q can be as long as you want because it's just an abstraction it just has to fit in the storage count and one message is 64 kilobits kilit skill baits cap will be let me see kilabytes yes so kilabytes
• 46:00 - 46:30 use case if you have a backlog of work to process asynchronously so if you have a bunch of people who you know were messaging you each one of those is going to be processed asynchronously so it's not you know at the same time it's just one after another processing it through you know that kind of thing ticket sales for example discs that's just like a hard drive a hard dis tables so this is for no SQL so this is structured but non relational what that means is it's in a
• 46:30 - 47:00 table format but it doesn't but items in that table so columns don't point to other tables for more data it's just contained in here now this accepts codes from outside Azure so remember that you can write a code which then goes and interacts with us tables finally blob scalable object storage for example text or binary files use cases sering images docs to a browser storing files for distributed access streaming backing up
• 47:00 - 47:30 data data for analysis Etc now here we have our Azure blob storage teers so hot tier you're going to access it within the next 30 days right so it doesn't go more than like 28 days without being accessed cool tier is more than 30 days so you don't access it every month say but you access it more than every 90 code is more than 90 but less than 180 and archive is you only access like once a year at the account level you can
• 47:30 - 48:00 specify that you want storage accounts or blobs to be created within this hot or C here but you can't set that the entire account will have blobs always at the cold or archive tier but they can always be at hot or cool by default so that's blobs next up within storage let's look at Azure migrate this is for data movement so as you
• 48:00 - 48:30 migrate is what it sounds like you're migrating data from an on Prim data center say into the cloud so unified migration platform with integrated tools it has tools for Discovery and assessment so finding the servers that it needs to bring them up migrating these servers up into the cloud pretty much with like a click of a few buttons it then has a data migration assistant now this is for SQL and it check features and possible problems that you're going to encounter when you go to
• 48:30 - 49:00 the next stage which is DB migration service so server migration is like the VM data database is actually when you're then going to be moving the database so not literally just the server and the disk but then the database that it's accessing and for that they have database migration service foral equal they then have an app service migration assist so if you have like an on Prem PHP or
• 49:00 - 49:30 net app it will then see if it can bring it up and use our app hosting service which if you recall from the previous video this here so it'll try and put you into here instead of having to spin up a virtual machine so if we come back here finally we have data box which is a physical box you think about it like like a hard drive right with 80 terab and for this you can either use it to send stuff into Azure or you can get it to get things
• 49:30 - 50:00 out of azure so your data for data movement finally for storage we have file movement three ways to manage moving files AZ copy so this is like a CLI command command line interface so terminal command to copy files or blobs to or from a storage account now I've got a picture here of One Direction because it's one directional it's like it storage Explorer is a to manage files in blobs so upload download or move between
• 50:00 - 50:30 storage accounts and finally we have file sync so it's a centralized place for file shares it uses any protocol it globally has caching locally it facilitates Cloud tearing and if a local server fails it can just easily replace it with a new instance now here there's two One Directions because it is B directional look at Cloud Consulting and today is episode 8 of our azed 900 study
• 50:30 - 51:00 cram it's the first unit of identity and access and security so first things first is going to be active directory Services basically we're going to talk about entra ID what is entra ID so entra ID or active directory Services is essentially an I am service which is an identity and access management service access two things and identities are what it controls such that you can
• 51:00 - 51:30 have one identity which has access to multiple things that's kind of fundamental basis and so ENT ID is the active directory in the cloud so we'll look at these first we'll come over to that so what is it or what does it offer authentication so self- service password resets MFA which is multifactor authentication so when You' have a password and a code to your phone so it's multifactor custom list of banned
• 51:30 - 52:00 passwords and smart lockout Services it also provides single sign on so this is where you can have like one username and password for multiple apps leveraging a single identity and that then rues access modifications since it's you're tied to one identity so instead of having to manage loads of usernames and passwords for loads of stuff the admin can just manage your identity for example if you roll off a project kill the identity and said they Haven to find you everywhere next up app management so
• 52:00 - 52:30 it has features such as app proxy which is accessing on Prem securly from outside your corporate Network SAS apps integrate seamlessly with 0365 which is Office 365 single sign on and then my apps portal which is this here basically you can log in have a screen of apps and then you can select from them so this is what Enterprises and stuff would use so you can get access to to the various software you need just through your one identity it also has device management
• 52:30 - 53:00 services so you can manage devices just like users meaning you can restrict certain devices for example and devices can be managed through tools like in chune so who would use entra ID well it admins for access control app Developers for when they want sign in into their app so using SSO users will password reset they'll be using inra ID services for that then online service subscribers if you're using Office 365 and you're controlling access enter so this part up
• 53:00 - 53:30 here is that entra being in the cloud it monitors sign and attempts however the on Prem version I.E just active directory doesn't and to connect them together so you had an on Prime active directory and you want to use entra you can connect them using this thing here called an enter connect meaning you can sign on here and you can access here so that's entra now let's look at entra
• 53:30 - 54:00 domain services so entra ID is you're looking at users whereas entra domain can you're now looking at servers for example in joining servers to domains things like that because if you think about it like one website could be run on multiple computers so multiple machines would have to join the domain so you want to manage the different servers so the Services which domain Services provides we'll get on to
• 54:00 - 54:30 in a moment but first let's look at this point here domain services without need to deploy manager patch domain controls traditionally if you have domain Services you would have a domain controller now a domain controller is a server and a network that manages security and access to resources through active directory so you don't need this anymore because you can use the cloud version and so its focus is a managing servers virtual machines and Legacy apps that are traditionally connected to a
• 54:30 - 55:00 Windows domain what is connected to a Windows domain mean well it means that a computer server or other network device is joined to a centralized Network managed by Windows server using active directory this then allows you to use multiple servers to run one app for instance right and so the services that it provides to do this or examples of services provides as domain joins this is adding servers on to a specific
• 55:00 - 55:30 domain such that they can be used for one app multiple servers Group Policy this is enabling centralized management of security and settings across domain join devices so across multiple servers that are domain joined ldap provides a protocol for applications to create and manage directory information so if they want user details for example and then k/ nlm authentication this offers secure authentication methods to verify user
• 55:30 - 56:00 identity so another authentication Service essentially and so this domain Services is good if you want to run Legacy apps in the cloud because if you read this here allows organization to seamlessly migrate on Prem applications to Azure by enabling users to log in with existing credentials and manage access using current user accounts and groups so basically you can just move your normal stuff where you'd have like this domain controls and stuff all those Services can be provided in the cloud
• 56:00 - 56:30 how you get a unique namespace which is a DNS and the way that this works within Azure is that within a region you'll have a replica set of domain controls meaning you will have the exact same domain controller replicated twice for high availability now how is this information then synced up well we zoom in here you can see you have your own Prem active directory and then here you have your Azure ad tenant which is your entra and in the back here you have your manag
• 56:30 - 57:00 domain and so there's a two-way sync between entra and your on Prim to make sure that this is always the same so it's syncing up users groups passwords SIDS and to Azure active directory whereas here so these two sync together but only entro calls back to the manage domain to automatically background sync the data that it's got so that your on print only level talking to this enter and then the enter talks to the manage domain and so that and a nutshell is
• 57:00 - 57:30 everything you need to know for entra for a900 look at Cloud consultant welcome back episode 9 and today we're going to cover authentication methods and external identities within identity access and security So within here this is split into three parts we have entra which I've covered and whoa episode 8 you can go check that out then we have this nine and then 10 will be the rest of identity access and security so authentication methods got here a picture of passport
• 57:30 - 58:00 cuz that's like an authentication method to show who you are and so authentication methods come in a quadrant here essentially they they lie somewhere in here between inconvenient inconvenient and high security and low security the example here is that passwords are the worst because although they are convenient apparently I would argue not very convenient CU you always forget they're also low security because there's only one hle for the like the
• 58:00 - 58:30 criminal to get to get your password they just have to figure that out and that show whereas for example here it's more inconvenient to have passwords and 2fa so MFA multifactor authentication where you would have say a password and a code because the convenience factors and the security risks are there for passwords but then you have an extra layer of security a second hle which is a code say to your phone which does make it inconvenient however makes it much
• 58:30 - 59:00 more secure next up we have passwordless authentication which we'll get to in a moment which is the highest security or kind of on par with password and T but is the most convenient because you don't need your password so what does it mean to have passwordless authentication let's get to that in a moment spoilers don't look down there so first of all we have SSO single sign on well this is where you can have one identity which you can then leverage to
• 59:00 - 59:30 access multiple apps if you seen the entra ID video you can see that this is an example of App Management so you can log in once and then you have all these apps that you can then access from it which is very common in Enterprises next up we have here MFA now this signals portion we'll talk more about in The Following episode we talk about conditional access but essentially based on a variety of factors it can request whether you want MFA or not for example you can go on a website and then say
• 59:30 - 60:00 remember me for 14 days and it won't try to MFA and that case it would do the LA access route but generally it would require MFA MFA being as we said getting like a code to your phone or a code from like the authenticator app now the third one passwordless no passwords what's it called passwordless passwordless so anyway no password so what does that even mean well it can be like biometric data so for example your fingerprint it's not a
• 60:00 - 60:30 password but it's identification your face not a password but it's identification for example so the three suggested ways from Microsoft for this or talked about ways are windows hello for business so this would be where you can use biometric or pen data which is then tied to your PC for an extra later security you can also use the authenticator app so instead of having a
• 60:30 - 61:00 password you can just use this code and then finally you can have fast identity online security keys so 52 security Keys here's an example here which is a UB key which a USB one plug it in but it can be Bluetooth or NFC which is like your contactless credit card it doesn't matter essentially just there some way to have a physical device then let you know that I am who I say I am so a method of authentication next up
• 61:00 - 61:30 external identities so for B2B or b2c which is business to business or business to Consumer you can leverage external identities so this is as you can see here for example using a Facebook account or a Google account or some active d uh active directory entra ID account or something you can use Partners vendors suppliers or other collaborators to initialize some s Self Service sign up basically like kind of single sign on so instead of using a
• 61:30 - 62:00 username and password which is within active directory you can then use a trusted parties one for example Google's a very common one you see this when you log at websites and it say like do you want to sign up with your username and email and you're like no way mate but I'll give you my Google because I don't want to deal with another password so secure interact with your users outside your or so customers vendors spers Etc you can ask the guests themselves or a decision maker to participate in Access
• 62:00 - 62:30 reviews and rectify or attest to the guest's access so you can continually review access to see who has actually got it and who should have it or shouldn't have it and so basically what this allows you to do is to have say for instance B2B collaboration you could have a company who don't leverage Azure products or sign in with their Google accounts using this external identities you also get B2B Direct Connect so you can with another intro org you can use
• 62:30 - 63:00 like teams shared channels so if that's another organization who's leverage and entra ID you can then use that external identity welcome back look at Cloud consultant and today it's the third and final episode of identity access and security episode 10 of our Azure azed 900 fundamentals study gram let's get into it so first things first conditional access so it's an entra ID tool basically as we've talked about
• 63:00 - 63:30 previously in multiactor authentication sometimes you can say remember this device for 14 days so it won't ask you for the second code sometimes not even for the password and the way that it does this kind of thing is it gets signals whether that's where you are the way you've gotten to the website or something it then makes a decision based on this so how risk is this is this likly so if you're on a device and your device has in the same location
• 63:30 - 64:00 it's the same IP address as last time it was there for example and you're coming in the same way IE through browser then probably you but if it's the same device but it's a completely different IP and this time you're coming in by a different method might not be you and then it enforces it based on that so it's useful for requiring MFA requiring access Services only through approved client apps requiring users to access apps from managed devices only so like only your
• 64:00 - 64:30 laptop for work not your phone and then blocking access from untrusted sources so if you know like specific IP address probably going to be dodgey you can use that in a signal block it don't let them in next up rback Ro based access control so this is essentially where you will be assigned a role so it's role based and it's Access Control it's controlling your access to something so this Ro based access control is applied to a
• 64:30 - 65:00 scope which is a set of resources or a resource that the access is applied to here for example if we scroll in you can see here's the standard row and Azure and here's your Scopes so you can see here for your role that really for a resource it should only be to automate processes you shouldn't be assigning people roles for singular resources you don't need to know this for AZ 9900 but it's just good to know whereas for the other three Management Group
• 65:00 - 65:30 subscription and Resource Group reader Observer you're reading admin is the owner they can do everything and then all that in between is the variety of users who are managing the resources and using them so Azure rback role based access control is enforced on any action that's initiated against an Azure resource that passes through Azure resource manager which we'll get to in a way later episode but Azure resource man essentially manages resources and whenever you interact with a resource it's going through as your resource
• 65:30 - 66:00 manager meaning every time you try to do anything to any resource a role will be enforced or a role our back will be enforced so next up zero trust model secure assets where they are with zero trust so this is an approach to security where you may have heard before of Grant the access of least privilege something like that which is essentially
• 66:00 - 66:30 saying give people only what they need so if we go back to like here you know if you have someone who's an observer don't go ah well in future they might need access so we'll give them one of these or ah they might you know need to add a mate in in a couple of months so we'll make them adadmin absolutely not terrible way to do it so zero trust is actually a layer above or below it's a layer more intense in which you're saying let's just assume everything's going to go wrong and that there's
• 66:30 - 67:00 always going to be a breach so as you can see here guiding principles assume breach and so you're going to minimize the blast radius I.E if you're doing R back and you have Ro based Access Control you make sure that the row the person has has a tiny radius meaning you want to be applying rows as low here as you can so like at the resource script level for instance you don't want to be like Oh They'll probably need access to stuff let's give them the whole subscription not a good way to do it cuz if someone then gets
• 67:00 - 67:30 access to that who shouldn't they have more access than you know they should and then use least privilege access Principle as we said and verify explicitly so always authenticate and authorized based on all available data points next up we have defense in depth which is an approach of securing every layer every conceivable layer within Azure that you're leveraging for for example physical security that's just you know securing your devices that you use to access Azure for example identity
• 67:30 - 68:00 and access so that should want to use single sign on MFA the perimeter so this is like your dos protection which is distributed denial of service it's a kind of attack where people would use Bots to pretend there's loads of people say visiting your website just so that the channel which lets users in to come see your website gets blocked CU it's too many people essentially can imagine it that way Network deny everything by default
• 68:00 - 68:30 and have a secure connection between on Prim aure compute secure access to your VMS Implement an endpoint Protection keep systems patched meaning keep essentially your operating systems up to date make sure that everything is secure as it can be application store secret securely so using like key Vault instead of having like your passwords and playing text for example example it makes security a design requirement so when you're designing the app make sure security is
• 68:30 - 69:00 first and foremost and finally data they're after databases Diss and they're also after the things which are in SAS products which you may not even consider for example your Gmail is probably tied to your Google Drive meaning if you have data in your Google Drive and someone accesses your email not only do they have access to your emails which then are probably linked to to web sites and where you have your bank cards laked you're going to get in trouble
• 69:00 - 69:30 there but you're also then going to have your Google Drive so not to scare you but this is why you need to be super secure and then close storage Google drive but SAS was more pertaining to say PowerPoint or something right so as you can see here when you have gone in at this zero trust idea using roles for each layer here like suddenly you have stacks meaning if someone say breaks into physical security somehow to get your laptop they still have to go through all of these to get the data
• 69:30 - 70:00 because the data is what they're after because think about even your bank card the numbers of the data so anyway finally we have Microsoft Defender for cloud protection everywhere so this facilitates or gives protection for Azure native protections pass so it detects threats and anomalies on platforms data services it can classify SQL data assess for vulnerabilities across SQL and storage
• 70:00 - 70:30 accounts then networks just in time VM access and set access policies including for a limited time it can also protect hybrid resources so that's some on Prem some in Azure as well as other clouds the thing to note here is when it's leveraging other clouds so say like AWS or gcp let's just go with AWS it lever is aws's security guidance and for that you can
• 70:30 - 71:00 see it via the cspn which the Clos security posture management and the asset inventory page now it works on this idea of continuously assessing securing and defending so continual assessing is vulnerability assessments essentially and Defender for n point so it's just continually looking for it it's then securing which is hardening your resources and services with Azure security Benchmark we'll get into that in a second and finally defending so
• 71:00 - 71:30 detecting and resolving the threats so Advanced St Protection security alerts for example So within secure we have this here which would show you we zoom in you can see it shows you like a score it shows you different controls remediations so one which has been completed with 38 uh completed recommendations and then a general resource health so this is what you'd see if you were using the defender for cloud and what this here
• 71:30 - 72:00 actually means is we'll move over your secure score is a reflection your secure your secure score is a reflection of how well you're meeting the Azure security Benchmark which is implemented through security policies and these policies lead to recommendations when resources don't meet the standards so basically you have a list of policies saying I want to have this level of
• 72:00 - 72:30 security say and then Defender for cloud will check that against your resources and then give you a score based on that so I know that's pretty heavy one cuz you know cyber security and that but that's us finished identity access and security come back next time where we will jump into the final module management and governance welcome back look at Cloud Consulting in today is episode 11 of our as 900 study cram it's our first episode of the final module
• 72:30 - 73:00 management governance so management and governance what we're going to look at first cost management so what affects costs an Azure well the resource type so for instance you'll get different Siz virtual machines the same way you would have different Siz laptops to buy right as we can see if we zoom in here when you create a virtual machine you get a variety of sizes for example and also for like data storage you can have access tals so like hot or cool for
• 73:00 - 73:30 example which will change the price because it changes how fast you're able to access the data also consumption so are you page your goal or are you a contract so do you just pay for what you use which is pay as you go or do you have a contract to say actually I'm going to dedicate myself to having a set number of resources so say 100 virtual machines for the next 3 years because some companies require that say for uh compliance and stuff next up maintaining
• 73:30 - 74:00 resources so when you spin up a VM and you put it in a virtual Network blah blah blah you have to maintain the other resources when you delete the virtual machine if you leave them running it'll affect your costs geography so labor cost could affect it so data centers in different regions can cost different prices and then also the distance to move the data so if you're moving it say from one side of the world to the other it's going to cost more than if you're moving
• 74:00 - 74:30 it from say London to France is going to be much cheaper than say Australia to New York now also if you're moving into Azure it can sometimes be free so if you're moving data into Azure sometimes free but if you move it out of azure it will be based on the billing Zone that it has to go through or has to go in or out next up subscription type you might have a fre tier sub description and finally Marketplace so if you're going to use some pre-made services on the
• 74:30 - 75:00 Azure Marketplace by third party vendors then that will cost you whatever the price is that they they give it at so for instance here CIS Benchmark L1 or Windows 2 cent an hour whereas other one other things you can see are free Price varies free blah blah blah so next up how do you calculate the cost then well we have we have a priceing calculator and we have a total cost of ownership calculator the priceing calculator is for provision and
• 75:00 - 75:30 resources so you would say if I wanted 10 servers with a specific spec how much would it cost whereas the total cost of ownership is more about what would the cost compared to on Prem which here you see versus on Prem so you then estimate how much it actually costs for utilities like electricity and stuff whereas in here you're just seeing and Azure here it's Azure versus on print next up we have the Microsoft cost management tool so
• 75:30 - 76:00 this is where you can manage the costs of azure so the first one was saying what affects it how you calculate it but then how do you get it when it's actually happened so Microsoft cost management tool from here you can get budget alerts now you can set these based on either money so when you reach1 in the month or something $10 which is a normal thing you could budget you would add if you're just a normal person not a company they can be using
• 76:00 - 76:30 you know six figures a month but you can still have budgets it can be either that or it can be consumption once or size once my data is up at like 10 terab I want an alert next up credit alerts generally they're at like 90% 100% now you can get credits when you have like a free tier subscription but here we're more so referring to credits that you get for organizations with Enterprise agreements because when you
• 76:30 - 77:00 agree to move to Azure you can often be given credits from Azure and that's from EAS and So based on that as well you have for Enterprise agreements departments and these departments can have spending quots so kind of like quot alerts almost like budget alerts but for different departments so say like different subscriptions next up we have tags so finally tags is a way to track resources so you could say tag every resource that you create within your
• 77:00 - 77:30 company and your development environment I could do it look look Cloud consultant and that way I'm able to see what are all the resources tied look Cloud consultant what are they cost them and so in t you can save the metad data so it doesn't have to just be like your name you could save some specific meta data about the resource now when you're managing them convention and rowes can apply via policies so I could say I don't want you know specific WS in these
• 77:30 - 78:00 tags and the way you can add tags and update tags is via poers shell the CLI so command line arm templates which we'll get to in a bit but it's essentially automating provision infrastructure so instead of clicking through the portal you can write out a little bit of code rest API which is you know talking to Azure programmatically or the portal and here's example of tags that people would use you can read it if you're fancy and that is cost management
• 78:00 - 78:30 welcome back welcome back look at cloud consulant and today is episode 12 governance and compliance so first things first let's talk about Azure policies we briefly talked about policies for tags and we've talked about a little bit through the fundamentals course but things to really not about policies first of all they're set at each level they're inherited and historical so say you set a policy at a resource Group level for virtual
• 78:30 - 79:00 machines right it would then mean that that's going to be inherited by all the virtual machines inside that Resource Group but also historical virtual machines so if they're already are 10 in there not only does it apply to the 11th you make but it also applies to the 10 that are already there and now policies can be integrated easily into Ado Azure defs now a policy can either be an IND idual policy or an initiative which is just a group of policy the example that they give is enable monit monitoring and
• 79:00 - 79:30 Azure security Center includes policy definitions for OS vulnerabilities missing missing end points Etc so basically when you enable a specific thing like enable monitoring right that actually is a collection of policies within itself I initiative so when a policy is been applied say to a resource or a resource Group it will be flagged if it fails that policy so if it doesn't comply but one thing that you can do with policies is you can have like an auto resolve for example tags say you don't
• 79:30 - 80:00 want this word used instead replace it with this other word you could then leverage that now within Azure policy you have built-in definitions for storage compute networking monit and security Center so you kind of basic stuff so next up we have Microsoft pview which is essentially just a way to govern data right that's all need to know for AZ 9900 and it works for SAS hybrid on Prem is two main solution
• 80:00 - 80:30 areas risk and compliance and unified data governance but really you only need to know about unified data governance for a z900 basically here it creates an up to-date map of your entire data estate identifies the sensitive data creates a secure environment for data consumers to find this valuable data that they need from your map and then generate insights about how this data is used and stored as well as managing access to it so basically it's for data governance that's all you need to know
• 80:30 - 81:00 and part of how it works is by leverag in 0365 products such as teams and exchange next up we have resource locks they can either be delete or read only meaning you can lock it for deletion which means it can't be deleted but it can be read and changed or read only meaning it can be only read nothing else now why would you want to do that because you don't want to accidentally delete it or you don't want people to be able to modify Etc now this lock can be removed if you
• 81:00 - 81:30 have the Privileges leveraging our back so if you have the right role you can then remove the lock make the changes and then add it on not back on next up we have the service trust portal now on the service trust portal you get in it using your intra org account so your Microsoft cloud services account it provides access to various content tools and other resources about Microsoft security privacy and compliance and practices on the main
• 81:30 - 82:00 menu you get the service trust portal my library and then all documents so if we look at here what it would look like basically you come in and you have see service trust portal my library or documents all the documents then you can pin them and they'll stay in your library but basically as it says learn how Microsoft cloud services protect your data and how you can manage cloud data security and compliance for your organization so it's just for documentation look at Cloud consultant welcome to episode 13 managing and deploying resources so first things first we have
• 82:00 - 82:30 interactions with Azure so you can interact as you will recall from one of our earlier episodes manageability so in the cloud we have these various ways to manage it CLI API pill shell web portal the portal is your UI pill shell it's kind of like using a command line interface mixed with an API it's called P shell you then have your API which is basically like
• 82:30 - 83:00 code which talks to Azure or you can have your CLI which is like running a computer or interfacing with a computer without having all the fancy clicking about so a CLI is like what would you'd imagine a user interface to be for a computer if there was none of this nice Graphics that we can see on screen so let's go back up to here so as you can see CLI web portal power shell but also Cloud shell so as you can see here if you zoom in we have
• 83:00 - 83:30 this which looks like a command line that is cloud shell which is essentially po shell but directly in Azure you can think the benefit here is that you don't have to log in or anything you're just automatically there so when you're in a resource Group looking at things and you open up Cloud show you're already there now P sh and Comm and Cloud show they run commands called commandlets which use the Azure rest API so essentially is using the API but it's
• 83:30 - 84:00 leveraging this um it's like a CLI plus the API Now using command lits you can then save these like as files so like a p shell script for example which makes them repeatable and automatable remember that cuz we'll get on to that in a moment but basically it allows you to save the commands that you want to run so say you want to look at all the vult machines and update the tags you could save these to do that now if you're thinking right I could update
• 84:00 - 84:30 the tags what about for vulture machines what if I want to keep making the virtual machine well we'll get to that in a minute when we go over here but first we have to look at a thing called Azure Arc so we're looking now Azure resource manager which I touched on briefly before but it's essentially the thing you have to go through to interact with any resources as you can see here you have the portal po show CLI rest API now all of this stuff comes to the Azure resource manager which makes sure that you're authenticated then allows you to
• 84:30 - 85:00 interact with the resources so we have a thing here called Azure Arc now Azure Arc extends your Azure compliance and monitoring to your hybrid and multicloud configurations outside of aure it allows you to manage servers kubernetes clusters Azure data services SEC servers and virtual machines and preview but essentially it allows you to monitor your services you can see here that are say
• 85:00 - 85:30 one Prim or in another Cloud but anyway back to the Azure that is part of azure resource manager but back to this automation idea is that if we can automatically manipulate resources could we automatically deploy resources the answer is yes now I do have videos on the channel where I teach you how to do this with terraform because terraform is a language you can write which will do
• 85:30 - 86:00 the automation of deployment and it's not just for Azure it works with AWS it works with Google Cloud platform Etc whereas the ones we're going to talk about today work only for Azure that's why they're in the certification so if we zoom in here we can see there's a thing called Azure bicep it's quite funny how it's worded here you have your Azure bicep file where you write code to deploy sources so you like I want v machine that looks like this I want V Network that looks like this blah blah blah and then that
• 86:00 - 86:30 will compile meaning the file then get run and turned into arm templates which is an Azure resource manager template and this Azure resource manager template will then go through Azure resource manager and create the relevant resources now you can write arm templates from scratch but there are a little bit more complicated and not as nice as using bicep but yeah it's pretty funny it's called an on template and
• 86:30 - 87:00 bicep cuz it's the good little bit of the arm in it probably so anyway the benefits of this is repeatability so once you've written this Azure bicep file you can use that to deploy the same resources every time you run the file orchestration and then modularity so you can write the code in such a way that if you were to make loads of virtual machines and loads of network stuff you could compartmentalize them properly such that you can repeat one bit of Code by or not repeat one bit of Code by
• 87:00 - 87:30 calling to it using modules for example so anyway that's a bit more advanced thing you need to know but you just need to know that you have bicep which is Json file which is a I suppose I can show you here Json format which just kind of looks like this and so you would like call something and then it's kind of like a key value pair it can be called which is essentially you have this key which is
• 87:30 - 88:00 volume and then that's the name of the thing bling current is blah blah blah right so it just looks like this but you only need to know that it is Jason and so you write this Jason which then can be turned into arm template Jason which then goes into the arm and then you have your resources at the end welome back look at Cloud consultant and today is our final episode episode 14 of the azed 900 study cram we're going to cover monitoring which is always left till last which is funny cuz
• 88:00 - 88:30 you should be monitoring your resources it shouldn't be left till last but anyway first things first for monitoring we have Azure advisor so if we look in here we have five main categories which you'll probably need to know for the exam reliability security performance operational excellence and cost and now you can see here this is what your advisor would look like it basically kind of ad advises you own thinks gives you recommendations on how to improve across these five categories and as you
• 88:30 - 89:00 can see here it evaluates your Azure resources and makes recommendations to help improve reliability security performance achieve operational excellence and reduce costs and you can access this data via the portal via the API and you can get notifications so if you get a recommendation you can get notified you also get Azure service health and so this help should keep TR your Azure resources both your specifically deployed resources and the overall status of azure so what it does
• 89:00 - 89:30 is it combines the Azure St status so how is azure is a a service like the whole of azure then how is the specific services within Azure I.E is there something going wrong with how virtual machines are being implemented across Azure and then the resource Health which is like your actual virtual machine for example so it actually impacts you and for this using the Azure service Health you do get real time data but you also get historic data so you can look at Trends say for your own resources if
• 89:30 - 90:00 they keep going down for example and finally you have Azure monitor so Azure monitor is a platform which has log analytics which lets you query your logs monitoring alerts so if something happens you can get told about it and then application insights so this can be via SDK so software development kit or via agent now you can read here more about application insights blah blah blah if
• 90:00 - 90:30 you want but essentially it just helps you monitor the performance of your application and that is it that is azed 900 fundamentals I hope you enjoyed if you did please leave a like leave comments questions queries and anything more you want to see from the channel hope you enjoyed take care and and I'll see you later