Table of Contents 1. Examen et ressources de préparation
Déroulement de la certification :
Compétences mesurées par la certification AZ-900
2. Azure Fundamentals part 1: Describe core Azure concepts2.1. Introduction to Azure fundamentals2.1.1. What is cloud computing ?Cloud computing: The delivery of computing services over the internet, which is otherwise known as the cloud. These services include servers, storage, databases, networking, software, analytics, and intelligence. Cloud computing is a way to rent compute power and storage from someone else’s datacenter. Cloud computing advantages:
Cloud service models: IaaS / PaaS / SaaS AVTD - Les 3 types de services Cloud : IaaS, PaaS, SaaS levels of responsibility betweee a cloud provider and a cloud tenant
Serverless computing: With serverless applications, the cloud service provider automatically provisions, scales, and manages the infrastructure required to run the code. Serverless architectures are highly scalable and event-driven. They use resources only when a specific function or trigger occurs. public, private and hybrid clouds
AVTD - 3 types de Cloud : public, privé et hybride 2.1.2. What is Azure ?How does Azure work? Azure portal: a web-based, unified console that provides an alternative to command-line tools. Azure services Most commonly used categories:
2.2. Discuss Azure fundamental concepts
AVTD - OpEx vs CapEx
2.3. Describe core Azure architectural componentsThe organizing structure for resources in Azure has 4 levels: management groups, subscriptions, resource groups and resources. 2.3.1. Azure subscription
Billing customization 2.3.2. Azure Management groups
Important facts about management groups:
2.3.3. ResourceA manageable item that’s available through Azure. Virtual machines (VMs), storage accounts, web apps, databases, and virtual networks are examples of resources. 2.3.4. Resource group
2.3.5. Azure Resource Manager
When a user sends a request from any of the Azure tools, APIs, or SDKs, Resource Manager receives the request. As benefits, it allows you to:
2.3.6. Azure regionsResources are created in regions, which are different geographical locations around the globe that contain Azure datacenters. A few examples of regions are West US, Canada Central, West Europe, Australia East, and Japan West. At the time of writing this, Azure is generally available in 60 regions and available in 140 countries. Cf site de Microsoft, "Azure has more global regions than any other cloud provider" 2.3.7. Azure availability zonesAvailability zones are physically separate datacenters within an Azure region. Each availability zone is made up of one or more datacenters equipped with independent power, cooling, and networking.
AVTD - Zones de disponibilité 2.3.8. Azure region pairsIt’s possible that a large disaster could cause an outage big enough to affect even two datacenters. That’s why Azure also creates region pairs.
AVTD - Region pairs / Paires régionales
3. Azure Fundamentals part 2: Describe core Azure services3.1. Explore Azure database and analytics services3.1.1. Explore Azure Cosmos DBAzure Cosmos DB is a globally distributed, multi-model database service. Azure Cosmos DB is flexible. At the lowest level, Azure Cosmos DB stores data in atom-record-sequence (ARS) format.
3.1.2. Explore Azure SQL Database
3.1.3. Explore Azure SQL Managed Instance
Azure SQL Database and Azure SQL Managed Instance offer many of the same features; however, Azure SQL Managed Instance provides several options that might not be available
to Azure SQL Database. Here are some examples of differences:
3.1.4. Explore Azure database for MySQL
3.1.5. Explore Azure database for PostgreSQL
Single Server deployment:
Hyperscale (Citus): The Hyperscale (Citus) option horizontally scales queries across multiple machines by using sharding. Its query engine parallelizes incoming SQL queries across these servers for faster responses on large datasets. It serves applications that require greater scale and performance, generally workloads that are approaching, or already exceed, 100 GB of data. The Hyperscale (Citus) deployment option supports multi-tenant applications, real-time operational analytics, and high throughput transactional workloads. Applications built for PostgreSQL can run distributed queries on Hyperscale (Citus) with standard connection libraries and minimal changes. 3.1.6. Explore big data and analyticsMicrosoft Azure supports a broad range of technologies and services to provide big data and analytic solutions, including:
3.2. Explore Azure compute servicesAzure computing solutions works on the underlying services:
3.2.1. When to use Azure Virtual Machines
Azure Virtual Machines sizes and descriptions 3.2.2. When to use Azure Container Instances or Azure Kubernetes ServiceWhile virtual machines are an excellent way to reduce costs versus the investments that are necessary for physical hardware, they’re still limited to a single operating system per virtual machine. If you want to run multiple instances of an application on a single host machine, containers are an excellent choice.
As a conclusion, you choose a VM if you need high flexibility, complete control on the environment. There are two ways to manage both Docker and Microsoft-based containers in Azure: Azure Container Instances and Azure Kubernetes Service (AKS).
A microservice architecture is more appropriate when:
3.2.3. When to use Azure App ServiceApp Service enables you to build and host web apps, background jobs, mobile back-ends, and RESTful APIs in the programming language of your choice without managing infrastructure. API apps: Much like hosting a website, you can build REST-based web APIs by using your choice of language and framework. You get full Swagger support and the ability to package and publish your API in Azure Marketplace. The produced apps can be consumed from any HTTP or HTTPS-based client. 3.2.4. When to use Azure FunctionsIf, for a large amount of time, your application is waiting for a particular input before it performs any processing, then, to reduce your costs, you could want to avoid having to pay for the time that your application is waiting for input. Functions (serverless computing) could be a good option in that case.
Serverless computing includes the abstraction of servers (no infrastructure management), an event-driven scale, and micro-billing
Azure has two implementations of serverless compute:
Functions are commonly used when you need to perform work in response to an event (often via a REST request), timer, or message from another Azure service, and when that work can be completed quickly, within seconds or less. Where functions execute code, logic apps execute workflows that are designed to automate business scenarios and are built from predefined logic blocks. Functions and Logic Apps can both create complex orchestrations, which are collections of functions or steps that are executed to accomplish a complex task.
Functions are normally stateless, but Durable Functions provide state. 3.2.5. When to use Windows Virtual DesktopWindows Virtual Desktop on Azure is a desktop and application virtualization service that runs on the cloud. It enables your users to use a cloud-hosted version of Windows from any location. Windows Virtual Desktop works across devices like Windows, Mac, iOS, Android, and Linux. Windows Virtual Desktop architecture Windows Virtual Desktop est une solution récente, pré-version publique annoncée en 2019/03. User sign-in to Windows Virtual Desktop is fast because user profiles are containerized by using FSLogix. At sign-in, the user profile container is dynamically attached to the computing environment. The user profile is immediately available and appears in the system exactly like a native user profile. 3.3. Explore Azure Storage servicesContext Suppose your company, Tailwind Traders, has a number of product brochures, datasheets, product images, and other files that are related to marketing, sales, and support. In the past, your company has been hosting these files on standalone web servers in your datacenter.
3.3.1. Disk storage fundamentalsDisk Storage provides disks for Azure virtual machines, and allows data to be persistently stored and accessed from an attached virtual hard disk. 3.3.2. Azure Blob storage fundamentalsAzure Blob Storage is an object storage solution for the cloud. It can store massive amounts of data, such as text or binary data. Azure Blob Storage is unstructured, meaning that there are no restrictions on the kinds of data it can hold. Blob Storage can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files, and can be reached from anywhere with an internet connection. Blob Storage is ideal for:
3.3.3. Azure Files fundamentalsAzure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) and Network File System (NFS) (preview) protocols.
3.3.4. Understanding Blob access tiersAzure provides several access tiers which you can use to balance your storage costs with your access needs.
3.4. Explore Azure networking services3.4.1. Azure Virtual Network fundamentalsAzure virtual networks (or Azure VNet) enable Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and with your on-premises client computers. Virtual Network allows you to create multiple isolated virtual networks. When you set up a virtual network, you define a private IP address space by using either public or private IP address ranges. For name resolution, you can use the name resolution service that’s built in to Azure. You also can configure the virtual network to use either an internal or an external DNS server. Communicate between Azure resources can be done using one of the 2 following options:
Communicate with on-premises resources can be done using one of the 2 following mechanisms:
Route network traffic.
Azure virtual networks enable you to filter network traffic between subnets by using the following approaches:
Connect virtual networks
3.4.2. Azure Virtual Network settingsSettings to configure for the creation of a basic virtual network:
Once created, you can then configure:
3.4.3. Azure VPN Gateway fundamentalsA virtual private network (VPN) is a type of private interconnected network. A VPN gateway is a type of virtual network gateway. Azure VPN Gateway instances are deployed in Azure Virtual Network instances and enable the following connectivity:
A VPN gateway can be of 2 types, the difference of which being how traffic to be encrypted is specified.
Required Azure resources to deploy an operational VPN Gateway High-availability scenarios
VPN gateway active/standby configuration VPN gateway active/active configuration
3.4.4. Azure ExpressRoute fundamentals
ExpressRoute connections don’t go over the public Internet. Dynamic routing: ExpressRoute uses the Border Gateway Protocol (BGP) routing protocol. BGP is used to exchange routes between on-premises networks and resources running in Azure. This protocol enables dynamic routing between your on-premises network and services running in the Microsoft cloud. ExpressRoute connectivity models 3 models available to connect your on-premises network to the Microsoft Cloud:
4. Azure Fundamentals part 3: Describe core solutions and management tools on Azure4.1. Choose the best AI service for your needsArtificial Intelligence (AI) is a category of computing that adapts and improves its decision-making ability over time based on its successes and failures. 4.1.1. Identify the product optionsThere are two basic approaches to AI:
3 primary product offerings from Microsoft:
4.1.2. Analyze the decision criteria
4.1.3. Use Machine Learning for decision support systemsA practical case is given to determine which MS products would be the best for the example needs. 4.1.4. Use Cognitive Services for data analysisAnother practical use case. 4.1.5. Use Bot Service for interactive chat experiencesAgain, a practical use case.
4.2. Choose the best tools to help organizations build better solutionsHere we talk about DevOps practices and develop solutions. 4.2.1. Understand your product options
Microsoft offers tools to enable source-code management, continuous integration and continuous delivery (CI/CD), and automating the creation of testing environments.
4.2.2. Analyse the decision criteria
4.2.3. Use Azure DevOps to manage the application development lifecyclePractical use case study, to know how to choose the best DevOps solutions (based on previous questions) 4.2.4. Use GitHub to contribute to open-source softwareLikewise, practical use case. 4.2.5. Use Azure DevTest Labs to manage testing environments4.3. Choose the best monitoring service for visibility, insight, and outage mitigation4.3.1. Identify your product options
4.3.2. Analyze the decision criteria
4.3.3. Use Azure AdvisorA practical use case to know how to choose the best Azure monitoring service. Use case Tailwind Traders wants to optimize its cloud spend. Also, the organization is concerned about security breaches, because it stores customer data and historical purchase data in cloud-based databases. As the organization ramps up its cloud expertise, it wants to better understand its use of the cloud, better understand best practices, and pinpoint "easy wins" where it can tighten up its cloud spend and security practices. Which service should you choose?
4.4. Choose the best tools for managing and configuring your Azure environment4.4.1. Identify the product options2 categories of management tools:
Your product options:
4.4.2. Analyze the decision criteria
4.5. Choose the best Azure serverless technology for your business scenario4.5.1. Identify the product optionsYou create an instance of the service, and you add your code. No infrastructure configuration or maintenance is required, or even allowed. Serverless computing is ordinarily used to handle back-end scenarios. In other words, serverless computing is responsible for sending message from one system to another, or processing messages that were sent from other systems. It’s not used for user-facing systems but, rather, it works in the background.
What are the differences between these services?
4.5.2. Analyze the decision criteria
4.6. Choose the best Azure IoT service for your applicationIoT bridges the physical and digital worlds by enabling devices with sensors and an internet connection to communicate with cloud-based systems via the internet. 4.6.1. Identify the product optionsIoT enables devices to gather and then relay information for
data analysis. Smart devices are equipped with sensors that collect data.
AVTD - IoT Azure 4.6.2. Analyze the decision criteria
5. Azure Fundamentals part 4: Describe general security and network security features5.1. Protect against security threats on Azure5.1.1. Protect against security threats by using Azure Security Center
Through Security Center, the company can view its overall regulatory compliance from a security perspective all from one place. With Security Center, the company’s resources can be analysed against the security controls of any governance policies it has assigned, so it can view its overall regulatory compliance from a security perspective all from one place.
AVTD - Azure Security Center : centre de surveillance offrant une protection contre les menaces dans tous vos centres de données, à la fois dans Azure et en local. 5.1.2. Detect and respond to security threats by using Azure SentinelSecurity management on a large scale can benefit from a dedicated Security Information and Event Management (SIEM) system. A SIEM system aggregates security data from many different sources (as long as those sources support an open-standard logging format). It also provides capabilities for threat detection and response. Azure Sentinel is Microsoft’s cloud-based SIEM system. It uses intelligent security analytics and threat analysis.
AVTD - Azure Sentinel : solution SIEM (gestion des informations de sécurité, security information event management) et SOAR (réponse automatisée de sécurité, security orchestration automated response) fournissant des analyses de sécurité sur les menaces à l’échelle de l’entreprise 5.1.3. Differences between Azure Security Center vs Azure SentinelIn a nutshell, it explains that:
Azure Sentinel performs more roles including hunting, automated playbooks and incident responses as well as assistance with manual incident investigations. 5.1.4. Store and manage secrets by using Azure Key VaultAzure Key Vault is a centralized cloud service for storing an application’s secrets in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities. Azure Key Vault can help you:
The benefits of using Key Vault include:
Once create, the secret can be accessed through the Azure Portal, or with Azure CLI in Azure Cloud Shell, or with Azure PowerShell. Retrieve the secret with Azure CLI in Azure Cloud Shell ardemius@Azure:~$ az keyvault list --query [0] { "id": "/subscriptions/4db700a1-ce71-4523-b484-93f5d1306b32/resourceGroups/learn-8f554fa5-8dd4-4ada-ad60-062d819da102/providers/Microsoft.KeyVault/vaults/my-keyvault-tsc123", "location": "eastus", "name": "my-keyvault-tsc123", "resourceGroup": "learn-8f554fa5-8dd4-4ada-ad60-062d819da102", "tags": {}, "type": "Microsoft.KeyVault/vaults" } ardemius@Azure:~$ az keyvault list --query [0].name --output tsv my-keyvault-tsc123 ardemius@Azure:~$ az keyvault secret show \ > --name MyPassword \ > --vault-name $(az keyvault list --query [0].name --output tsv) \ > --query value \ > --output tsv hVFkk96 5.1.5. Host your Azure virtual machines on dedicated physical servers by using Azure Dedicated HostOn Azure, virtual machines (VMs) run on shared hardware that Microsoft manages. Although the underlying hardware is shared, your VM workloads are isolated from workloads that other Azure customers run.
A dedicated host is mapped to a physical server in an Azure datacenter. A host group is a collection of dedicated hosts. What are the benefits of Azure Dedicated Host?
After a dedicated host is provisioned, Azure assigns it to the physical server in Microsoft’s cloud datacenter. Pricing considerations
5.2. Secure network connectivity on Azure5.2.1. What is defense in depth?The objective of defense in depth is to protect information and prevent it from being stolen by those who aren’t authorized to access it. Layers of defense in depth You can visualize defense in depth as a set of layers, with the data to be secured at the center: Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. This approach removes reliance on any single layer of protection. It slows down an attack and provides alert telemetry that security teams can act upon, either automatically or manually. AVTD - Défense en profondeur, via différentes couches de protection Here’s a brief overview of the role of each layer:
Security posture Your security posture is your organization’s ability to protect from and respond to security threats. The common principles used to define a security posture are confidentiality, integrity, and availability, known collectively as CIA.
5.2.2. Protect virtual networks by using Azure FirewallA firewall is a network security device that monitors incoming and outgoing network traffic and
decides whether to allow or block specific traffic based on a defined set of security rules. Azure Firewall is a managed, cloud-based network security service that helps protect
resources in your Azure Virtual Networks. Azure Firewall is a stateful firewall. A stateful firewall analyzes the complete context of a network connection, not just an individual packet of network traffic. Azure Firewall features high availability and unrestricted cloud scalability. Azure Firewall provides a central location to create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static (unchanging) public IP address for your virtual network resources, which enables outside firewalls to identify traffic coming from your virtual network. The service is integrated with Azure Monitor to enable logging and analytics. Azure Firewall provides many features, including:
You typically deploy Azure Firewall on a central virtual network to control general network access. What can I configure with Azure Firewall?
Azure Application Gateway also provides a firewall that’s called the web application firewall (WAF). WAF provides centralized, inbound protection for your web applications against common exploits and vulnerabilities. Azure Front Door and Azure Content Delivery Network also provide WAF services. 5.2.3. Protect from DDoS attacks by using Azure DDoS ProtectionA distributed denial of service (DDoS) attack attempts to overwhelm and exhaust an application’s resources, making the application slow or unresponsive to legitimate users. DDoS attacks can target any resource that’s publicly reachable through the internet, including websites.
What service tiers are available to DDoS Protection?
In all cases, the Azure global network is used to distribute and mitigate attack traffic across Azure regions. What kinds of attacks can DDoS Protection help prevent?
5.2.4. Filter network traffic by using Network Security Groups (NSGs)A network security group enables you to filter network traffic to and from Azure resources within an Azure virtual network. You can think of NSGs like an internal firewall. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. A network security group can contain as many rules as you need, within Azure subscription limits. Each rule specifies these properties:
When you create a network security group, Azure creates a series of default rules to provide a baseline level of security. You can’t remove the default rules, but you can override them by creating new rules with higher priorities.
5.2.5. Exercise - Configure network access to a VM by using a network security groupYou start by creating a Linux VM and installing Nginx, a popular web server, on that VM. To make your web server accessible, you then create a network security group (NSG) rule that allows inbound access on port 80 (HTTP). There are many ways to create and manage VMs, including their network settings. For example, you can use the Azure portal, the Azure CLI, Azure PowerShell, or an Azure Resource Manager (ARM) template. Here, you use the Azure CLI. The Azure CLI enables you to connect to Azure and run administrative commands on Azure resources. As with other command-line interfaces, you can run commands directly from a terminal or you can add commands to a Bash script or a PowerShell script. The Azure CLI runs on Windows, macOS, or Linux. Here, you access the Azure CLI from Azure Cloud Shell. Cloud Shell is a browser-based shell experience that you use to manage and develop Azure resources. Think of Cloud Shell as an interactive console that runs in the cloud. Azure Cloud Shell Requesting a Cloud Shell.Succeeded. Connecting terminal... Welcome to Azure Cloud Shell Type "az" to use Azure CLI Type "help" to learn about Cloud Shell # First, let's create a Linux VM ardemius@Azure:~$ az vm create \ > --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \ > --name my-vm \ > --image UbuntuLTS \ > --admin-username azureuser \ > --generate-ssh-keys SSH key files '/home/ardemius/.ssh/id_rsa' and '/home/ardemius/.ssh/id_rsa.pub' have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage, back up your keys to a safe location. {- Finished .. "fqdns": "", "id": "/subscriptions/24f6044d-738b-4d20-8eba-a9307e45b4b4/resourceGroups/learn-f86915b8-0c40-4a12-9524-7fcff6b051b6/providers/Microsoft.Compute/virtualMachines/my-vm", "location": "westus", "macAddress": "00-0D-3A-32-97-2A", "powerState": "VM running", "privateIpAddress": "10.0.0.4", "publicIpAddress": "104.42.185.11", "resourceGroup": "learn-f86915b8-0c40-4a12-9524-7fcff6b051b6", "zones": "" } # then we configure Nginx on our VM using the Custom Script Extension ardemius@Azure:~$ az vm extension set \ > --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \ > --vm-name my-vm \ > --name customScript \ > --publisher Microsoft.Azure.Extensions \ > --version 2.1 \ > --settings '{"fileUris":["https://raw.githubusercontent.com/MicrosoftDocs/mslearn-welcome-to-azure/master/configure-nginx.sh"]}' \ > --protected-settings '{"commandToExecute": "./configure-nginx.sh"}' {- Finished .. "autoUpgradeMinorVersion": true, "enableAutomaticUpgrade": null, "forceUpdateTag": null, "id": "/subscriptions/24f6044d-738b-4d20-8eba-a9307e45b4b4/resourceGroups/learn-f86915b8-0c40-4a12-9524-7fcff6b051b6/providers/Microsoft.Compute/virtualMachines/my-vm/extensions/customScript", "instanceView": null, "location": "westus", "name": "customScript", "protectedSettings": null, "provisioningState": "Succeeded", "publisher": "Microsoft.Azure.Extensions", "resourceGroup": "learn-f86915b8-0c40-4a12-9524-7fcff6b051b6", "settings": { "fileUris": [ "https://raw.githubusercontent.com/MicrosoftDocs/mslearn-welcome-to-azure/master/configure-nginx.sh" ] }, "tags": null, "type": "Microsoft.Compute/virtualMachines/extensions", "typeHandlerVersion": "2.1", "typePropertiesType": "customScript" } # get your VM's IP address and store the result as a Bash variable ardemius@Azure:~$ IPADDRESS="$(az vm list-ip-addresses \ > --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \ > --name my-vm \ > --query "[].virtualMachine.network.publicIpAddresses[*].ipAddress" \ > --output tsv)" ardemius@Azure:~$ echo $IPADDRESS 104.42.185.11 # Open a new browser tab and go to your web server. # After a few moments, you see that the connection isn't happening. # If you wait for the browser to time out, you'll see something like this: # "Hmmm... can't reach this page. 104.42.185.11 took too long to respond" # Same thing when using curl to download the home page ardemius@Azure:~$ curl --connect-timeout 5 http://$IPADDRESS # After five seconds, you see an error message that states that the connection timed out. # This message means that the VM was not accessible within the timeout period. curl: (28) Connection timed out after 5000 milliseconds # list the network security groups that are associated with your VM ardemius@Azure:~$ az network nsg list \ > --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \ > --query '[].name' \ > --output tsv my-vmNSG # Every VM on Azure is associated with at least one network security group. # In this case, Azure created an NSG for you called my-vmNSG. # list the rules associated with the NSG named my-vmNSG ardemius@Azure:~$ az network nsg rule list \ > --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \ > --nsg-name my-vmNSG [ { "access": "Allow", "description": null, "destinationAddressPrefix": "*", "destinationAddressPrefixes": [], "destinationApplicationSecurityGroups": null, "destinationPortRange": "22", "destinationPortRanges": [], "direction": "Inbound", "etag": "W/\"2a5921d9-0138-40ae-90cf-d4b5fa837018\"", "id": "/subscriptions/24f6044d-738b-4d20-8eba-a9307e45b4b4/resourceGroups/learn-f86915b8-0c40-4a12-9524-7fcff6b051b6/providers/Microsoft.Network/networkSecurityGroups/my-vmNSG/securityRules/default-allow-ssh", "name": "default-allow-ssh", "priority": 1000, "protocol": "Tcp", "provisioningState": "Succeeded", "resourceGroup": "learn-f86915b8-0c40-4a12-9524-7fcff6b051b6", "sourceAddressPrefix": "*", "sourceAddressPrefixes": [], "sourceApplicationSecurityGroups": null, "sourcePortRange": "*", "sourcePortRanges": [], "type": "Microsoft.Network/networkSecurityGroups/securityRules" } ] # Let's customize the output with the "--query" argument ardemius@Azure:~$ az network nsg rule list \ > --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \ > --nsg-name my-vmNSG \ > --query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \ > --output table Name Priority Port Access ----------------- ---------- ------ -------- default-allow-ssh 1000 22 Allow # You see the default rule, default-allow-ssh. # This rule allows inbound connections over port 22 (SSH). # SSH (Secure Shell) is a protocol that's used on Linux to allow administrators to access the system remotely. # By default, a Linux VM's NSG allows network access only on port 22. # This enables administrators to access the system. # You need to also allow inbound connections on port 80, which allows access over HTTP. # create a rule called allow-http that allows inbound access on port 80 ardemius@Azure:~$ az network nsg rule create \ > --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \ > --nsg-name my-vmNSG \ > --name allow-http \ > --protocol tcp \ > --priority 100 \ > --destination-port-range 80 \ > --access Allow {- Finished .. "access": "Allow", "description": null, "destinationAddressPrefix": "*", "destinationAddressPrefixes": [], "destinationApplicationSecurityGroups": null, "destinationPortRange": "80", "destinationPortRanges": [], "direction": "Inbound", "etag": "W/\"e5337a39-9e39-49fb-9606-a0e09241f1b4\"", "id": "/subscriptions/24f6044d-738b-4d20-8eba-a9307e45b4b4/resourceGroups/learn-f86915b8-0c40-4a12-9524-7fcff6b051b6/providers/Microsoft.Network/networkSecurityGroups/my-vmNSG/securityRules/allow-http", "name": "allow-http", "priority": 100, "protocol": "Tcp", "provisioningState": "Succeeded", "resourceGroup": "learn-f86915b8-0c40-4a12-9524-7fcff6b051b6", "sourceAddressPrefix": "*", "sourceAddressPrefixes": [], "sourceApplicationSecurityGroups": null, "sourcePortRange": "*", "sourcePortRanges": [], "type": "Microsoft.Network/networkSecurityGroups/securityRules" } # For learning purposes, here you set the priority to 100. In this case, the priority doesn't matter. # You would need to consider the priority if you had overlapping port ranges. # verify the configuration ardemius@Azure:~$ az network nsg rule list \ > --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \ > --nsg-name my-vmNSG \ > --query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \ > --output table Name Priority Port Access ----------------- ---------- ------ -------- default-allow-ssh 1000 22 Allow allow-http 100 80 Allow # Check the result ardemius@Azure:~$ echo $IPADDRESS 104.42.185.11 ardemius@Azure:~$ curl --connect-timeout 10 http://$IPADDRESS <html><body><h2>Welcome to Azure! My name is my-vm.</h2></body></html> # That's good ! # Same thing can be checked with the web server : "Welcome to Azure! My name is my-vm." Content of the previous MicrosoftDocs/mslearn-welcome-to-azure/master/configure-nginx.sh #!/bin/bash # Update apt cache. sudo apt-get update # Install Nginx. sudo apt-get install -y nginx # Set the home page. echo "<html><body><h2>Welcome to Azure! My name is $(hostname).</h2></body></html>" | sudo tee -a /var/www/html/index.html 5.2.6. Combine Azure Services to create a complete network security solutionHere are some recommendations on how to combine Azure services to create a complete network security solution:
AVTD - partage de la gestion de la sécurité entre client et Cloud provider : Sécurité partagée entre le client et le Cloud provider
Quelles solutions de sécurité réseau pour protéger quelles couches ? 6. Azure Fundamentals part 5: Describe identity, governance, privacy, and compliance features6.1. Secure access to your applications by using Azure identity servicesLearn how Azure Active Directory helps you
manage and secure identities. Learning objectives :
6.1.1. Compare authentication and authorizationOne needs to ensure that employees can access only authorized applications.
The identification card represents credentials that the user has to prove their identity (you’ll learn more about the types of credentials later in this module.) Once authenticated, authorization defines what kinds of applications, resources, and data that user can access. AVTD - Comparaison authentification et autorisation 6.1.2. What is Azure Active Directory?Azure Active Directory (Azure AD) is a cloud-based identity and access management service (IAM). Azure AD enables an organization to control access to apps and resources based on its business requirements. What a classic question: how does one can integrate its existing Active Directory instance with cloud identity services to create a seamless experience for its users?
Azure Portal view by an IT administrator when working with Active Directory
Azure AD Connect 6.1.3. What are multifactor authentication and Conditional Access?
6.2. Build a cloud governance strategy on Azure
When running in the cloud, a good governance strategy helps you maintain control over the applications and resources that you manage in the cloud. Maintaining control over your environment ensures that you stay compliant with:
One could enforce similar processes that prevent teams from directly creating or configuring resources on Azure, similar to its existing approach where central IT provisions infrastructure. But it is known that these restrictions reduce team agility and the ability to innovate. How can we enable innovation while still maintaining control? 6.2.1. Accelerate your cloud adoption journey by using the Cloud Adoption Framework for AzureThe Cloud Adoption Framework consists of tools, documentation, proven practice and includes these stages:
1) Define your strategy Here, you answer why you’re moving to the cloud and what you want to get out of cloud migration. Do you need to scale to meet demand or reach new markets? Will it reduce costs or increase business agility?
2) Make a plan Here, you build a plan that maps your aspirational goals to specific actions. A good plan helps ensure that your efforts map to the desired business outcomes.
3) Ready your organization Here, you create a landing zone, or an environment in the cloud to begin hosting your workloads.
4) Adopt the cloud Here, you
begin to migrate your applications to the cloud. Along the way, you might find ways to modernize your applications and build innovative solutions that use cloud services.
5) Govern and manage your cloud environments Here, you begin to form your cloud governance and cloud management strategies. As the cloud estate changes over time, so do cloud governance processes and policies. You need to create resilient solutions that are constantly optimized.
AVTD - Cloud Adoption Framework :
6.2.2. Create a subscription governance strategy
At the beginning of any cloud governance implementation, you identify a cloud organization structure that meets your business needs. This step often involves forming a cloud center of excellence team (also called a cloud enablement team or a cloud custodian team). This team is empowered to implement governance practices from a centralized location for the entire organization. Teams often start their Azure governance strategy at the subscription level. There are three main aspects to consider when you create and manage subscriptions: billing, access control, and subscription limits. Billing
Access control
Subscription limits
6.2.3. Control access to cloud resources by using Azure role-based access control
Instead of defining the detailed access requirements for each individual, and then updating access requirements when new resources are created, Azure enables you to control access through Azure role-based access control (Azure RBAC). Azure provides built-in roles that describe common access rules for cloud resources. You can also define your own roles. Each role has an associated set of access permissions that relate to that role. When you assign individuals or groups to one or more roles, they receive all of the associated access permissions. How is role-based access control applied to resources?
How is Azure RBAC enforced? Azure RBAC is enforced on any action that’s initiated against an Azure resource that passes through Azure Resource Manager. Resource Manager is a management service that provides a way to organize and secure your cloud resources. You typically access Resource Manager from the Azure portal, Azure Cloud Shell, Azure PowerShell, and the Azure CLI. Azure RBAC doesn’t enforce access permissions at the application or data level. Application security must be handled by your application. RBAC uses an allow model. When you’re assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. If one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you have both read and write permissions on that resource group.
Who does Azure RBAC apply to? You can apply Azure RBAC to an individual person or to a group. You can also apply Azure RBAC to other special identity types, such as service principals and managed identities. These identity types are used by applications and services to automate access to Azure resources. How do I manage Azure RBAC permissions? You manage access permissions on the Access control (IAM) pane in the Azure portal. This pane shows who has access to what scope and what roles apply. You can also grant or remove access from this pane. Ex: Alain Charon has been assigned the Backup Operator role for this resource group. 6.2.4. Prevent accidental changes by using resource locksA resource lock (or
Resource Manager lock) prevents resources from being accidentally deleted or changed. You can manage resource locks from the Azure portal, PowerShell, the
Azure CLI, or from an Azure Resource Manager template. You can apply locks to a subscription, a resource group, or an individual resource. You can set the lock level to CanNotDelete or ReadOnly. Resource locks apply regardless of RBAC permissions. Even if you’re an owner of the resource, you must still remove the lock before you can perform the blocked activity. Combine resource locks with Azure Blueprints: To make the protection process more robust, you can combine resource locks with Azure Blueprints. 6.2.5. Organize your Azure resources by using Azure TagsOne way to organize related resources is to place them in their own subscriptions. Azure Tags are used to logically organized Azure resources, using name-value pairs. How do I manage resource tags? You can add, modify, or delete resource tags through PowerShell, the Azure CLI, Azure Resource Manager templates, the REST API, or the Azure portal. You can also manage tags by using Azure Policy. For example, you can apply tags to a resource group, but those tags are NOT automatically applied to the resources within that resource group. You can use Azure Policy to ensure that a resource inherits the same tags as its parent resource group. Example of tags AppName, CostCenter, Owner, Environment and Impact
6.2.6. Control and audit your resources by using Azure PolicyHow do you ensure that your resources stay compliant? How can you be alerted if a resource’s configuration has changed? How does Azure Policy define policies?
Azure Policy in action Implementing a policy in Azure Policy involves these three steps:
Create a policy definition A policy definition expresses what to evaluate and what action to take. Examples:
Assign the definition to resources To implement your policy definitions, you assign definitions to resources. A policy assignment is a policy definition that takes place within a specific scope. This scope could be a management group (a collection of multiple subscriptions), a single subscription, or a resource group. Policy assignments are inherited by all child resources within that scope. If a policy is applied to a resource group, that policy is applied to all resources within that resource group. You can exclude a subscope from the policy assignment if there are specific child resources you need to be exempt from the policy assignment. Review the evaluation results When a condition is evaluated against your existing resources, each resource is marked as compliant or noncompliant. You can review the noncompliant policy results and take any action that’s needed. Policy evaluation happens about once per hour. If you make changes to your policy definition and create a policy assignment, that policy is evaluated over your resources within the hour. What are Azure Policy initiatives?An Azure Policy initiative is a way of grouping related policies into one set. The initiative definition contains all of the policy definitions to help track your compliance state for a larger goal. For example, Azure Policy includes an initiative named "Enable Monitoring in Azure Security Center". Its goal is to monitor all of the available security recommendations for all Azure resource types in Azure Security Center.
Initiatives are defined by using the Azure Portal or command-line tools
6.2.7. Govern multiple subscriptions by using Azure BlueprintsWhat happens when your cloud environment starts to grow beyond just ONE subscription? How can you scale the configuration of these features, knowing they need to be enforced for resources in new subscriptions? Instead of having to configure features like Azure Policy for each new subscription, with Azure Blueprints you can define a repeatable set of governance tools and standard Azure resources that your organization requires. In this way, development teams can rapidly build and deploy new environments with the knowledge that they’re building within organizational compliance with a set of built-in components that speed the development and deployment phases. Azure Blueprints orchestrates the deployment of various resource templates and other artifacts, such as:
When you form a cloud center of excellence team or a cloud custodian team, that team can use Azure Blueprints to scale their governance practices throughout the organization.
With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. In other words, Azure creates a record that associates a resource with the blueprint that defines it. This connection helps you track and audit your deployments. Blueprints are also versioned. Versioning enables you to track and comment on changes to your blueprint. What are blueprint artifacts? Each component in the blueprint definition is known as an artifact.
You can specify a parameter’s value when you create the blueprint definition or when you assign the blueprint definition to a scope. In this way, you can maintain one standard blueprint but have the flexibility to specify the relevant configuration parameters at each scope where the definition is assigned. FYI, Azure Blueprints has several built-in blueprint definitions that relate to ISO 27001 (a standard that applies to the security of IT systems). You see that the blueprint template contains policy assignments, Resource Manager templates, and resource groups.
6.2.8. SummaryCloud governance requires good analysis and requirement gathering. Luckily, the Cloud Adoption Framework for Azure can help you define and implement your governance strategy. There are several services and features in Azure to support these efforts:
6.3. Examine privacy, compliance, and data protection standards on AzureIn general, compliance means to adhere to a law, standard, or set of guidelines. 6.3.1. Explore compliance terms and requirementsSome popular compliance offerings available on Azure 6.3.2. Access the Microsoft Privacy Statement, the Online Services Terms, and the Data Protection AddendumMicrosoft Privacy Statement, the Online Services Terms, and the Data Protection Addendum explain the personal data Microsoft collects, how Microsoft uses it, and for what purposes. What’s in the Microsoft Privacy Statement?
What’s in the Online Services Terms?
What is the Data Protection Addendum?
6.3.3. Explore the Trust CenterThe Trust Center showcases Microsoft’s principles for
maintaining data integrity in the cloud and how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. The Trust Center provides you with documentation about compliance standards and how Azure can support your business. 6.3.4. Access Azure compliance documentationThe Azure compliance documentation allows you to access detailed documentation about legal and regulatory standards and compliance on Azure. The Azure compliance documentation includes detailed information about legal and regulatory standards and compliance on Azure. 6.3.5. What is Azure Government?Azure Government is a separate instance of the Microsoft Azure service. It addresses the security and compliance needs of US federal agencies, state and local governments, and their solution providers. Azure Government offers physical isolation from non-US government deployments and provides screened US personnel. 6.3.6. What is Azure China 21Vianet?Azure China 21Vianet is operated by 21Vianet. It’s a physically separated instance of cloud services located in China. Azure China 21Vianet is independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd. According to the China Telecommunication Regulation, providers of cloud services, infrastructure as a service (IaaS) and platform as a service (PaaS), must have value-added telecom permits. Only locally registered companies with less than 50 percent foreign investment qualify for these permits. To comply with this regulation, the Azure service in China is operated by 21Vianet, based on the technologies licensed from Microsoft. 6.4. Microsoft 365 Compliance CenterAVTD - Compliance Manager : va vous donner un score, une note relatif au niveau atteint par votre solution quant aux exigences demandées par telle ou telle réglementation.
Compliance Manager helps simplify the way you manage compliance. Compliance Manager is based on 3 tools:
For more details, check:
Compliance Manager default view
7. Azure Fundamentals part 6: Describe Azure cost management and service level agreementsModule objectives:
7.1. Plan and manage your Azure costs7.1.1. Compare costs by using the Total Cost of Ownership CalculatorThe TCO Calculator (Total Cost of Ownership calculator) helps you estimate the cost savings of operating your solution on Azure over time, instead of in your on-premises datacenter. The term total cost of ownership is commonly used in finance. It can be hard to see all the hidden costs related to operating a technology capability on-premises. Software licenses and hardware are additional costs. With the TCO Calculator, you enter the details of your on-premises workloads. Then you review the suggested industry average cost (which you can adjust) for related operational costs. These costs include electricity, network maintenance, and IT labor. You’re then presented with a side-by-side report. Using the report, you can compare those costs with the same workloads running on Azure. Working with the TCO Calculator involves three steps:
7.1.2. Purchase Azure servicesQuestions to be addressed to prepare Cloud migration:
What types of Azure subscriptions can I use? Azure offers both free and paid subscription options to fit your needs and requirements. They are:
How do I purchase Azure services?
Your account is billed according to Azure’s "pay for what you use"
model. What factors affect cost? The way you use resources, your subscription type, and pricing from third-party vendors are common factors. Let’s take a quick look at each:
Does location or network traffic (and bandwith) affect cost? Location is known as the Azure region. Azure infrastructure is distributed globally, which enables you to deploy your services centrally or provision your services closest to where your customers use them. Billing zones are a factor in determining the cost of some Azure services. 7.1.3. Understand Azure support plansMicrosoft offers 4 paid Azure support plans and 1 free for customers who require technical and operational support.
7.1.4. Azure Pricing CalculatorThe Azure Pricing calculator helps you in the process of taking all factors into account to get an accurate cost estimate. Keep in mind that the Pricing calculator provides estimates and NOT actual price quotes. Actual prices can vary depending upon the date of purchase, the payment currency you’re using, and the type of Azure customer you are. Exercise - Estimate workload cost by using the Pricing calculatorIn the Azure Pricing calculator, in the "Example Scenarios" section, you can find templates for some reference architectures, or common cloud-based solutions that you can use as a starting point (like "Modern data warehouse") 7.1.5. Manage and minimize total cost on AzureCalculate your projected costs by using the Pricing calculator and the Total Cost of Ownership (TCO) Calculator. Only add the products, services, and resources that you need for your solution. Use Azure Advisor to monitor your usage
Use spending limits to restrict your spending
Use Azure Reservations to prepay
Choose low-cost locations and regions
Research available cost-saving offers
Use Azure Cost Management + Billing to control spending
Apply tags to identify cost owners
Resize underutilized virtual machines
Deallocate virtual machines during off hours
Delete unused resources
Migrate from IaaS to PaaS services
Save on licensing costs
AVTD - Comment minimiser les coûts sur Azure ?6 facteurs sur le coûts des services Azures :
Facteurs affectant les coûts
Comment minimiser les coûts sur Azure ? 7.1.6. Knowledge check
To sum it up, to have a clear picture of the total cost of running in the cloud:
7.2. Choose the right Azure services by examining the SLAs and service lifecycle7.2.1. What are service-level agreements (SLAs)?
Where can I access SLAs for Azure services?
How do percentages relate to total downtime?
What are service credits?
How do I know when there’s an outage?
How can I request a service credit from Microsoft?
7.2.2. Define your application SLA
Usage patterns define when and how users access your application. One question to consider is whether the availability requirement differs between critical and non-critical time periods. For example, a tax-filing application can’t fail during a filing deadline. 7.2.3. Design your application to meet your SLA
The process of combining SLAs helps you compute the composite SLA for a set of services. Computing the composite SLA requires that you multiply the SLA of each individual service. Here the result is 99.78%, meaning NOT the 99.99% that you get from each service taken separately.
To ensure high availability, you might plan for your application to have duplicate components across several regions, known as redundancy. Example for Tailwind Traders, its main website must be available as close to 100 percent of the time as possible. To accomplish that, Tailwind Traders might deploy extra instances of the same virtual machine across different availability zones in the same Azure region. Doing so helps ensure that if one zone is affected, virtual machine instances in the other zone can pick up the load.
7.2.4. Access preview services and preview featuresWhat is the service lifecycle?
Each Azure preview defines its own terms and conditions. All preview-specific terms and conditions supplement your existing Azure service agreement. You can access preview services from the Azure portal.
8. OLD COURSE CONTENT, BEFORE 2020/11/09
8.1. Explore Microsoft Azure cloud concepts (AZ-900)
8.1.1. Discuss why cloud servicesCloud Computing Cloud Computing is the delivery of computing services—servers, storage, databases, networking, software, analytics, intelligence and more—over the internet (the cloud), enabling faster innovation, flexible resources, and economies of scale. You typically pay only for cloud services you use, helping lower your operating costs, run your infrastructure more efficiently, and scale as your business needs change. Cloud providers offer a wide range of services, including:
Computing choices for Cloud: VMs, containers or serverless Key Cloud Concepts :
8.1.2. Distinguish types of cloud models3 different cloud deployment models: Public Cloud, Private Cloud, and Hybrid Cloud. An example of a hybrid cloud usage scenario would be hosting a website in the public cloud and linking it to a highly secure database hosted in a private cloud.
Remember, the cloud deployment model you choose will depend on your budget, security, scalability, and maintenance needs. Azure provides all of the flexibility and capabilities to meet your specific needs. 8.1.3. Explore types of cloud servicesShared responsibility model
IaaS, PaaS and SaaS Common examples of SaaS apps and software: email, calendars, office tools (such as Office 365)
8.2. Distinguish Microsoft Azure Core Services (AZ-900)8.2.1. Discuss core Azure architectural componentsIn this module, you will:
Azure RegionsA few examples of regions are West US, Canada Central, West Europe, Australia East, and Japan West. At the time of writing this, Azure is generally available in 60 regions and available in 140 countries. Cf site de Microsoft, "Azure has more global regions than any other cloud provider" Each Azure region is paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away, which together make a region pair. Azure divides the world into geographies that are defined by geopolitical boundaries or country borders. An Azure geography is a discrete market typically containing two or more regions that preserves data residency and compliance boundaries.
Availability Options Availability SetsAvailability Sets, Update domains and Fault domains Availability sets are made up of Update domains (UD) and Fault domains (FD):
Availability zonesAvailability zones are physically separate locations within an Azure region that use availability sets to provide additional fault tolerance.
Resource GroupA resource group is a unit of management for your resources in Azure. You can think of your resource group as a container that allows you to aggregate and manage all the resources required for your application in a single manageable unit. This allows you to manage the application collectively over its lifecycle, rather than manage components individually. Before any resource can be provisioned, you need a resource group for it to be placed in.
Resource groups help to organize resources, with several possible strategies:
Azure Management LayerAzure Resource Manager is a management layer in which resource groups and all the resources within it are created,
configured, managed, and deleted. With Azure Resource Manager, you can:
Resource Manager templates are JSON files that define the resources you need to deploy your solution. 9. RessourcesD’autres sites permettant de préparer la certification :
Sites d’examens blancs (mock exams), questions / réponses pour s’entraîner :
10. Mock exams10.1. Sample exam questions from testprep training "Microsoft Azure Fundamentals (AZ-900)"Q1) You have plans to deploy several Azure virtual machines. You are required to ensure that the services running on the virtual machines are available, even if a single data center fails. Solution: You suggest deploy the virtual machines to two or more scale sets. Does the suggested solution meet the desired goal? ✅ No, the solution does not meet the desired goal ❌ Yes, the solutions meets the desired goal Q2) Jacob is working in an organization. He has been asked to migrate its SQL Database to Azure by ensuring that other users in the organization do not accidentally delete or modify critical resources. Which of the following Azure feature should Jacob use to meet the requirement? ✅ Azure Resource Manager Locks Azure role-based access control Azure Policy Azure Active Directory Q3) Let us suppose you plan to deploy several Azure virtual machines. You are required to ensure that the services running on the virtual machines are available if a single data centre fails. Solution: You suggest to deploy virtual machines to two or more availability zones. Does the suggested solution meet the desired goal? ✅ Correct Incorrect Q4) Peter is working in company that plans to migrate its website to Azure. The website is being accessed worldwide by users for video streaming services. Peter has been asked to suggest a solution to provide reduced load times and high transfer speeds. Which of the following Azure service should Peter suggest to meet the requirement? ✅ Azure Content Delivery Network Load Balancers Blob Storage Network Security Groups Q5) Which of the following Azure Service would you suggest when you are planning to create an application with an event-based architecture that has the feature to ingest events from Blob storage and create custom topics? ✅ Azure Event Grid Azure Logic Apps Azure Functions Azure Machine Learning Studio Q6) A company plans to migrate all of its servers and data to Azure. John has been asked to suggest a solution that allows to only use Software-as-a-Service Azure products that will support the planned migration. John suggests to deploy Azure virtual machines and Azure SQL Database. Does the solution suggested by John meet the requirement? Yes, it meets the requirement ✅ No, it does not meet the requirement Q7) Let us suppose you work for ABC Ltd. which has several business units. Each business unit requires 20 different Azure resources for daily operation. All the business units require the same type of Azure resources. Now, you are required to suggest a solution to automate the creation of Azure resources. Which of the following options would you suggest in this case? Virtual machine scale sets The Azure API Management service Management groups ✅ Azure Resource Manager templates Q8) Sam is working in an organization that plans to migrate its applications to Azure. He has been asked to suggest a solution that will maintain virtual machine connectivity to at least one instance with a guaranteed 99.95% uptime. Sam suggested to deploy one VM instance in one Availability Set. Does the suggested solution meet the goal? No, it does not meet the goal ✅ Yes, it meets the goal Q9) An organization plans to migrate its docker containers to Azure. You have been asked to suggest a solution that offers a set of version control tools to help developers manage the application code. Which amongst the following will you include in your recommendation? Azure Activity log Azure Pipelines ✅ Azure Repos Azure Monitor Q10) ________________ is used to explain the personal data that Microsoft processes, how Microsoft processes it, and for what purposes. Microsoft Online Services Level Agreement Microsoft Online Subscription Agreement Microsoft Cloud Agreement (MCA) ✅ Microsoft Privacy Statement Q1) Let us suppose ABC Ltd. plans to migrate all its data and resources to Azure. The company’s migration plan states that only platform as a service (PaaS) solutions must be used in Azure. Now you are required to deploy an Azure environment which supports the planned migration. Solution: In this case, you create an Azure App Service and Azure virtual machines that have Microsoft SQL Server installed. Does the solution meet the desired goal? Yes, the solution meets the desired goal. ✅ No, the solution does not meet the desired goal. Q2) What of the given Azure service permits a user to have a DNS-based traffic load balancer? Azure Private Load Balancer Azure Network Interface ✅ Azure Traffic Manager Azure Public Load Balancer Q3) You organization is planning to build a customized solution for uploading weather data to Azure using several million sensors. Which of the given service should the company use to connect, monitor, and control the sensors without managing the infrastructure? Azure App Service Azure Virtual Machine ✅ Azure IoT Hub Azure Files Q4) ________________ is used to explain the personal data that Microsoft processes, how Microsoft processes it, and for what purposes. Microsoft Online Services Level Agreement Microsoft Online Subscription Agreement Microsoft Cloud Agreement (MCA) ✅ Microsoft Privacy Statement Q5) Let us suppose a company wants to try out some services that are being offered by Azure in Public Preview. In this case, should the company deploy resources which are part of Public Preview in their production environment? ✅ No Yes Q6) A company plans to migrate its application servers hosted on-premises to Azure. Which of the following is the key advantage of using the public cloud for its servers? Public cloud is owned by the public and not a private organization or corporation. Public cloud is used exclusively by a single business or organization. Public cloud is a free shared entity that is crowdfunded by the public and is accessible by everyone. ✅ Public cloud is a shared entity operated by a third-party cloud service provider that various corporations can use. Q7) An organization plans to migrate its application named QuickApp1 to Azure. As per the observed pattern QuickApp1 has a low usage during the second and fourth weeks and high usage during the first and third weeks of the month Which amongst the following benefit of Azure Cloud Services will support cost management for this kind of usage pattern? High availability Fault tolerance Load balancing ✅ Elasticity Q8) Samuel is working in an organization that requires to secure its web applications from security vulnerabilities like volumetric, protocol, and resource layer attacks. Samuel has been asked to suggest a solution that has the capability of automatically generating post-attack mitigation reports for compliance purposes. Which of the following service should he use to satisfy this above requirement? Azure Firewall Azure Security Center Azure Advanced Threat Protection ✅ Azure DDoS Protection Standard 🔥 Azure Advanced Threat Protection (Azure ATP) est l'ancien nom de Microsoft Defender for Identity. 🔥 Une solution de sécurité cloud qui s’appuie sur vos signaux Active Directory locaux pour identifier, détecter et investiguer les menaces avancées, les identités compromises et les actions des utilisateurs internes malveillants dirigées contre votre entreprise. Cf l'exam blanc de Thomas Mitchell, the Azure Advanced Threat protection is Microsoft's security solution that is used to identify, detect, and investigate advanced threats and compromised IDENTITIES. Q9) ______________ offers real-time analytics and complex event-processing engine. Azure Event Hub Azure Data Lake Azure Logic Apps ✅ Azure Stream Analytics Q10) Let us suppose a company needs to create around 50 customized Virtual Machines every week. Out of which 20 are Windows-based Virtual machines and the remaining 30 are Ubuntu Machines. Which of the given options would assist in reducing the administrative effort needed to deploy the machines? Azure virtual machine scale sets ✅ Azure DevTest Labs Azure Reserved Virtual Machines (VM) Instances Microsoft Managed Desktop 🔥 I PERSONALLY DO NOT AGREE ON THIS LAST ONE. 🔥 Azure DevTest Labs ease the management (building, setting up, tearing down) of VMs focusing a LAB environment, which is not specified in the question 11. LexiqueACU Azure Compute Units. Ressources de calcul dédiées utilisées pour exécuter des applications déployées dans le plan App Service. ARMAzure Resource Manager. Les modèles Azure Resource Manager sont des fichiers JSON (JavaScript Object Notation) qui définissent l’infrastructure et la configuration de votre projet. BGPBorder Gateway Protocol. BGP is used to exchange routes between on-premises networks and resources running in Azure. This protocol enables dynamic routing between your on-premises network and services running in the Microsoft cloud. BYODBring Your Own Device CapExCapital Expenditure. This is the up front spending of money on physical infrastructure, and then deducting that up front expense over time. The up front cost from CapEx has a value that reduces over time. CCMCloud Controls Matrix CDNA content delivery network, or content distribution network (CDN), is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance by distributing the service spatially relative to end users. CORSCross-Origin Resource Sharing CSACloud Security Alliance CSPCloud Solution Provider, a Microsoft Partner who helps you build solutions on top of Azure. DLPData Loss Prevention FedRAMPFederal Risk and Authorization Management Program. Microsoft cloud services have undergone independent, third-party FedRAMP Moderate and High Baseline audits. Microsoft cloud services certified according to the FedRAMP standards. FQDNFully Qualified Domain Names HIPAAThe Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that regulates patient Protected Health Information (PHI). Hosting providerun synonyme pour "cloud services provider" HUBAzure Hybrid Use Benefit IAMIdentity and Access Management IOPSI/O operations per second ISOInternational Organization for Standardization, le plus grand organisme de normalisation au monde, qui demeure une organisation non gouvernementale. ISPInternet Service Provider MFAMulti-Factor Authentication MTCSMulti-Tier Cloud Security NFSNetwork File System NIST / CSFNational Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risks. NSGNetwork Security Group, enables you to filter network traffic to and from Azure resources within an Azure virtual network. You can think of NSGs like an internal firewall. OpExThis is spending money on services or products now and being billed for them now. You can deduct this expense in the same year you spend it. There is no up front cost, as you pay for a service or product as you use it. PCI / DSSPayment Card Industry (PCI) / Data Security Standard (DSS) PHIProtected Health Information RBACRole-Based Access Control RCARoot Cause Analyse for Azure incidents SIEMSecurity Information Event Management SMBServer Message Block SOARSecurity Orchestration Automated Response SOCSecurity Operations Center SKUStock-Keeping Unit (SKU) is a generic inventory term, that allows to represent the different shapes of the product. TCOTotal Cost of Ownership. The Total Cost of Ownership (TCO) Calculator can help you compare the cost of running in the datacenter versus running on Azure. UDRUser-Defined Routing, allows network admins to control the routing tables between subnets, within a subnet as well as between VNets. VPNVirtual Private Network VXCVirtual Cross-Connection. Virtual cross connects (VXC) are private, direct connections between a network and a cloud provider, content delivery network, or a carrier through an internet exchange point. WAFWeb Application Firewall is a feature of Azure Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities. How can tailwind enforce having only certain applications run on its VMs?How can Tailwind Traders enforce having only certain applications run on its VMs? Connect your VMs to Azure Sentinel. Create an application control rule in Azure Security Center. Periodically run a script that lists the running processes on each VM.
How would you enforce having only certain applications run on VMs?How can companies enforce having only certain applications run on their VMs? Answer : Create an application control rule in Azure Security Center which is also known as Microsoft Defender for Cloud.
How can tailwind traders ensure that certain VM workloads are physically?How can Tailwind Traders ensure that certain VM workloads are physically isolated from workloads being run by other Azure customers? A. Configure the network to ensure that VMs on the same physical host are isolated.
How can we ensure that certain VM workloads are physically isolated from workloads being run by other Azure customers?How can companies ensure that certain VM workloads are physically isolated from workloads being run by other Azure customers? Configure the network to ensure that VMs on the same physical host are isolated. This is not possible. These workloads need to be run on-premises.
|