@cheshireEXAMREFAZ9002020 - Avalonian Memex

# Notes and highlights for Exam Ref AZ-900 Microsoft Azure Fundamentals Jim, Cheshire --- ## Chapter 1. Describe cloud concepts ### Highlight (yellow) - Skill 1.1: Identify the benefits and considerations of using cloud services > Page 2 · Location 242 There are many reasons why you might lose availability , but the most common issues are : ### Highlight (yellow) - Skill 1.1: Identify the benefits and considerations of using cloud services > Page 2 · Location 253 All applications require some level of network connectivity ### Highlight (yellow) - Skill 1.1: Identify the benefits and considerations of using cloud services > Page 3 · Location 270 Azure offers a service called Application Insights that integrates with your application to give you detailed information about the performance and reliability of your application ### Highlight (yellow) - Skill 1.1: Identify the benefits and considerations of using cloud services > Page 6 · Location 327 The concept of automatically scaling is referred to as elasticity . ### Highlight (yellow) - Skill 1.1: Identify the benefits and considerations of using cloud services > Page 6 · Location 334 This kind of speed and flexibility in the cloud is often called cloud agility . ### Note - Skill 1.1: Identify the benefits and considerations of using cloud services > Page 6 · Location 335 Based on business needs ### Highlight (yellow) - Skill 1.1: Identify the benefits and considerations of using cloud services > Page 6 · Location 345 Fault tolerance happens without any interaction from you , and it’s designed to automatically move you from an unhealthy system to a healthy system if things go wrong . ### Highlight (yellow) - Skill 1.1: Identify the benefits and considerations of using cloud services > Page 6 · Location 351 You don’t have to understand the technical details of how Azure implements fault tolerance for the AZ - 900 exam , but if you’re interested in learning more , check out https : / / msdn.microsoft.com / magazine / mt422582 . aspx . ### Highlight (yellow) - Skill 1.1: Identify the benefits and considerations of using cloud services > Page 7 · Location 363 Disaster recovery not only means having reliable backups of important data , but it also means that the cloud infrastructure can replicate your application’s resources in an unaffected region so that your data is safe and your application availability isn’t affected . ### Highlight (yellow) - Skill 1.1: Identify the benefits and considerations of using cloud services > Page 8 · Location 382 Unlike capital expenses , operating expenses are tracked on a month - by - month basis , so it’s much easier to adjust them based on need . ### Highlight (yellow) - Skill 1.1: Identify the benefits and considerations of using cloud services > Page 8 · Location 389 the ability to use only those computing resources you require at any particular time . This is typically referred to as a consumption - based model , ### Highlight (yellow) - Skill 1.2: Describe the differences between categories of cloud services > Page 11 · Location 447 IaaS services allow you to control costs effectively because you only pay for them when you are using them . If you stop your IaaS VM , your billing stops for the resource . This makes IaaS an ideal choice if you need developers to have a platform for testing an application during release . Developers can start an IaaS VM , test the application as a team , and then stop the IaaS VM when testing is complete . Another popular use of IaaS is when you need one or more powerful VMs for a temporary period ### Highlight (yellow) - Skill 1.2: Describe the differences between categories of cloud services > Page 13 · Location 485 Docker ### Highlight (yellow) - Skill 1.2: Describe the differences between categories of cloud services > Page 13 · Location 487 Some of the other PaaS services are Azure CDN Azure Cosmos DB Azure SQL Database Azure Database for MySQL Azure Storage Azure Synapse Analytics ### Highlight (yellow) - Skill 1.2: Describe the differences between categories of cloud services > Page 13 · Location 490 Azure Storage Azure Synapse Analytics ### Highlight (yellow) - Skill 1.2: Describe the differences between categories of cloud services > Page 13 · Location 495 In fact , this is one of the main benefits of using a PaaS service ; you can often move your application from on - premises to a cloud environment by simply deploying it to the cloud . This concept is often referred to as lift - and - shift . ### Highlight (yellow) - Skill 1.2: Describe the differences between categories of cloud services > Page 14 · Location 533 Some of the SaaS services Microsoft makes available are Microsoft 365 Xbox Live OneDrive Power Automate ( previously Microsoft Flow ) ### Highlight (yellow) - Skill 1.3: Describe the differences between types of cloud computing > Page 16 · Location 570 The traditional cloud model is referred to as the public cloud . In addition to a public cloud model , businesses can also use a private cloud where the infrastructure is dedicated to them . Finally , a hybrid cloud model represents a mixture of public and private cloud models . ### Highlight (yellow) - Skill 1.3: Describe the differences between types of cloud computing > Page 19 · Location 645 For example , once you offload management of your private cloud to a third party , you lose control of important considerations such as the security of your data . It’s often impossible to achieve full transparency when dealing with third - party providers , and you can’t always guarantee that data on your private cloud network will remain secured in a way that you require . ## Chapter 2. Describe core Azure services ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 26 · Location 795 This section covers : Azure regions and regional pairs Availability zones Resource groups Azure subscriptions Management groups Azure Resource Manager ( ARM ) ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 27 · Location 823 The fact that each geography contains at least two regions separated by a large physical distance is important . That’s how Azure maintains disaster recovery , and it’s likely this concept will be included on the exam . ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 28 · Location 860 Availability zones provide high - availability and fault tolerance , but they might not help you with disaster recovery . ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 30 · Location 885 In fact , Microsoft guarantees an SLA of 99.99 percent uptime for Azure virtual machines only if two or more VMs are deployed into two or more zones . ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 30 · Location 890 Azure virtual machine inside of three availability zones ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 30 · Location 896 Don’t confuse availability zones with availability sets . Availability sets allow you to create two or more virtual machines in different physical server racks in an Azure datacenter . Microsoft guarantees a 99.95 percent SLA with an availability set . An availability zone allows you to deploy two or more Azure services into two distinct datacenters within a region . Microsoft guarantees a 99.99 percent SLA with availability zones . ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 31 · Location 915 A resource group is a logical container for Azure services . By creating all Azure services associated with a particular application in a single resource group , you can then deploy and manage all of those services as a single entity . ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 33 · Location 944 If you click Resource Costs , you can see the cost of all the resources in this resource group . Having that information at your fingertips is especially helpful in situations where you want to make sure certain departments in your company are charged correctly for their used resources . In fact , some companies will create resource groups for each department rather than creating resource groups scoped to applications . Having a Sales and Marketing resource group or an IT Support resource group , for instance , can help you immensely when reporting and controlling costs . ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 33 · Location 950 An Azure resource can only exist in one resource group . In other words , you can’t have a virtual machine in a resource group called WebStorefront and also in a resource group called SalesMarketing , because it must be in one group or the other . You can move Azure resources from one resource group to another . ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 33 · Location 960 When you delete a resource group , all the resources in that resource group are automatically deleted . ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 34 · Location 968 Each Azure subscription has limits ( sometimes called quotas ) assigned to it . For example , you can have up to 250 Azure Storage accounts per region in a subscription , up to 25,000 virtual machines per region , and up to 980 resource groups per subscription across all regions . ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 34 · Location 971 More Info Subscription Limits You can find details on all limits for subscriptions at https : / / bit.ly / az900 - sublimits . ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 34 · Location 975 Microsoft support can increase limits in some scenarios if you have a good business justification . Some limits , however , cannot be increased . ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 37 · Location 1024 Management groups are a convenient way to apply policies and access control to your Azure resources . Much like a resource group , a management group is a container for organizing your resources . However , management groups can contain only Azure subscriptions or other management groups . ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 38 · Location 1041 You’re limited to a total of 10,000 management groups . A management group hierarchy can only support up to six levels . You cannot have multiple parents for a single management group or subscription . ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 39 · Location 1062 Both the portal and the command - line tools work by using ARM , and they interact with ARM using the ARM application programming interface , or API . The ARM API is the same whether you’re using the portal or command - line tools , and that means you get a consistent result . ### Highlight (yellow) - Skill 2.1: Describe the core Azure architectural components > Page 40 · Location 1079 You don’t have to tell ARM how to do what you want . You simply have to tell it what you want . To do that , ARM uses files that are encoded in JavaScript Object Notation ( or JSON ) called ARM templates . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 48 · Location 1186 You can also stop a VM from within the guest operating system on the VM , but when you do that , you will still be charged for the resources the VM uses because it’s still allocated to you . That means you’ll still incur charges for managed disks and other resources . Once you finish this chapter , deleting the TestRG resource group will ensure you aren’t charged for the VM . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 48 · Location 1199 Availability sets protect you from maintenance events and downtime caused by hardware failures . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 48 · Location 1201 Fault domains are a logical representation of the physical rack in which a host computer is installed . By default , Azure assigns two fault domains to an availability set . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 49 · Location 1205 Update domains are designed to protect you from a situation where the host computer is being rebooted . When you create an availability set , Azure creates five update domains by default . These update domains are spread across the fault domains in the availability set . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 51 · Location 1237 Availability sets certainly provide a benefit in protecting from downtime in certain situations , but they also have some disadvantages . First of all , every machine in an availability set has to be explicitly created . While you can use an ARM template to deploy multiple virtual machines in one deployment , you still have to configure those machines with the software and configuration necessary to support your application . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 51 · Location 1240 An availability set also requires that you configure something in front of your VMs that will handle the distribution of traffic to those VMs . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 51 · Location 1242 Another disadvantage to availability sets relates to cost . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 51 · Location 1244 Azure offers another feature for VMs called scale sets that solves these problems nicely . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 51 · Location 1252 Scale sets are deployed in availability sets automatically , so you automatically benefit from multiple fault domains and update domains . Unlike VMs in an availability set , however , VMs in a scale set are also compatible with availability zones , so you are protected from problems in an Azure datacenter . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 52 · Location 1273 how App Service works . Azure Load Balancer distributes traffic to a special VM within App Service called a front end . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 54 · Location 1300 You are charged for App Service plans even when no web apps are running in them . If you do have web apps in your App Service plan , you are still charged if you stop the web apps . The only way to avoid being billed for an App Service plan is to delete it . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 56 · Location 1336 A container is created using a zipped version of an application called an image , and it includes everything the application needs to run . That might include a database engine , a web server , and so on . The image can be deployed to any environment that supports the use of containers . Once there , the image is used to start a container the application runs in . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 57 · Location 1360 ACI isn’t a good choice for you if you have an application that is used heavily by many people and that might need to take advantage of scaling . Instead , Azure Kubernetes Service ( AKS ) would be a better choice . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 59 · Location 1389 The computer that Kubernetes pods are running on is called a node or a worker . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 59 · Location 1406 AKS in Azure is free . You only pay for the Azure compute resources you use within your cluster . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 61 · Location 1441 Better yet , through the use of technology Microsoft acquired called FSLogix , WVD provides for a local profile while the user is using apps . This capability even allows for users to use files in Microsoft OneDrive along with WVD . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 66 · Location 1541 You can connect two VNets together using a VNet - to - VNet connection with VPN Gateway , but when you use that method , you might experience some latency because of the two VPN Gateways that are involved . As I pointed out earlier , you are also going to incur a bandwidth restriction based on the VPN Gateway pricing tier you are using . To avoid both of those situations , you can connect your VNets using virtual network peering . Traffic between two VNets that are peered travels over Microsoft’s private backbone infrastructure and not over the Internet ; however , unlike a VNet - to - VNet connection , the traffic is not encrypted . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 68 · Location 1568 If you have resources you need to connect to that are behind Azure Load Balancer running in the Basic tier , you won’t be able to connect to those resources using the public IP address of the load balancer . If that’s a requirement for you , you’ll need to change Azure Load Balancer to the Standard tier . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 68 · Location 1578 For example , a VPN is limited to a maximum of 1.25 Gbps in network speed . If a customer needs more speed than that , VPN isn’t a good choice . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 69 · Location 1599 If you want to remove the service provider from the picture , you can use an offering called ExpressRoute Direct that allows you to connect directly to a physical port on the MSEE router . ExpressRoute Direct also provides for much higher bandwidth if that’s a concern for you . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 70 · Location 1608 There are three types of blobs in Azure Storage . Block blobs Used to store files used by an application . Append blobs They are like block blobs , but append blobs are specialized for append operations . For that reason , they are often used to store constantly updated data like diagnostic logs . Page blobs They are used to store virtual hard disk ( . vhd ) files that are used in Azure virtual machines . We’ll cover these in Azure Disk Storage later in this chapter . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 70 · Location 1618 If you want to move a large amount of data , Microsoft offers a service called Data Box . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 70 · Location 1619 For even larger amounts of data , Microsoft offers a Data Box offline service where they will ship you hard drives . ### Highlight (pink) - Skill 2.2: Describe core resources available in Azure > Page 70 · Location 1623 Azure creates a disk that is automatically designated for temporary storage when you create a VM . This means data on that disk will be lost if there’s a maintenance event on the VM . If you need to store data for a longer period of time that will persist between VM deployments and maintenance events , you can create a disk using an image stored in Azure Storage . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 71 · Location 1628 Azure disks are available as either managed disks or unmanaged disks . All Azure disks are backed by page blobs in Azure Storage . When you use unmanaged disks , they use an Azure Storage account in your Azure subscription , and you must manage that account . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 71 · Location 1635 Microsoft recommends managed disks for all new VMs . They also recommend that all VMs currently using unmanaged disks be moved to managed disks . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 71 · Location 1636 Perhaps an even more important reason to use managed disks is that by doing so , you avoid a possible single point of failure in your VM . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 71 · Location 1645 Azure Files is a completely managed file share that you can mount just like any SMB file share . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 72 · Location 1658 Install Azure File Sync on one or more servers in your local network and it will keep your files in Azure Files synchronized with your on - premises server . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 72 · Location 1668 In fact , while the Hot and Cool access tiers guarantee access to the first byte of data within milliseconds , the Archive tier only guarantees access to the first byte within 15 hours . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 73 · Location 1677 There are four types of NoSQL database systems : key - value , column , document , and graph . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 73 · Location 1699 When you create a Cosmos DB database , you choose the API you want to use , which determines the database type for your database . The database API types are ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 74 · Location 1718 Azure SQL Database is a PaaS offering for SQL Server database hosting . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 75 · Location 1733 Azure offers three different deployment options for Azure SQL Database : single database , elastic pool , and managed instance . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 76 · Location 1737 A DTU represents a collection of CPU , memory , and data reads and writes . There are three tiers in the DTU model : Basic , Standard , and Premium . Each tier offers a higher level of CPU , memory , and data transfer . ### Note - Skill 2.2: Describe core resources available in Azure > Page 76 · Location 1739 More fixed price ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 76 · Location 1740 You can choose between a provisioned tier ( where you choose the CPU , memory , and other resources that are always available ) and a serverless tier where you choose a range of resource needs so you can control costs more effectively . ### Note - Skill 2.2: Describe core resources available in Azure > Page 76 · Location 1742 Vcore more elastic and more control over memcpu attributes ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 77 · Location 1773 While you can scale up and down easily with Azure SQL Database by moving to a higher tier or adding compute , memory , and storage resources , relational databases don’t scale horizontally . There are some options available for scaling out a read - only copy of your database , but in general , relational databases don’t offer the capability of scaling out to provide additional copies of your data in multiple regions . ### Highlight (yellow) - Skill 2.2: Describe core resources available in Azure > Page 77 · Location 1784 Once the data has been migrated , DMS sets up synchronization between the source database and Azure SQL Database . This means that as long as the source database remains online , any changes made to it will be synchronized with the managed instance in Azure SQL Database . ### Highlight (yellow) - Chapter summary > Page 85 · Location 1951 Here’s a summary of what this chapter covered . ### Highlight (yellow) - Chapter summary > Page 87 · Location 1983 Azure VPN Gateway allows you to establish encrypted connections between Azure VNets and other VNets or on - premises networks . You can configure VNet - to - VNet connections , site - to - site connections , and point - to - site connections . ## Chapter 3. Describe core solutions and management tools on Azure ### Highlight (yellow) - Page 89 · Location 2014 Azure provides Azure Advisor to help you , and by coupling Azure Advisor with Azure Monitor , you can stay on top of all your Azure services . ### Highlight (yellow) - Page 89 · Location 2016 things can still go wrong , and when they do , the Azure Service Health website will keep you informed of what’s going on . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 90 · Location 2029 This section covers : Azure IoT Hub IoT Central Azure Sphere Azure Synapse Analytics HDInsight Azure Databricks Azure Machine Learning Cognitive Services Azure Bot Service Serverless computing Azure Functions Logic Apps Event Grid Azure DevOps Azure DevTest Labs GitHub and GitHub Actions ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 91 · Location 2061 IoT devices are added to IoT Hub , and you can then manage them , monitor them , and send messages to them , either individually or to groups that you create . You can add up to 1,000,000 IoT devices to a single IoT Hub . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 99 · Location 2204 IoT Central gives you control over who can do what using roles . There are three built - in roles to which you can assign a user . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 105 · Location 2297 Analyzing big data requires a powerful system for storing data , the ability to query the data in multiple ways , enormous power to execute large queries , assurance that the data is secure , and much more . That’s exactly what Azure Synapse analytics provides . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 105 · Location 2300 Azure Synapse is the next evolution of another Azure service called SQL Data Warehouse . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 106 · Location 2322 A data lake refers to a repository of unordered data , and a data warehouse refers to a repository of ordered data . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 106 · Location 2327 Essentially , HDInsight is Microsoft’s managed service that provides a cloud - based implementation of a popular data analytics platform called Hadoop . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 108 · Location 2370 Azure Databricks is an ideal solution for accumulating data and for forming the data ( called data modeling ) so that it’s optimal for machine learning models . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 109 · Location 2381 Databricks is actually the name of a company that originally developed Apache Spark . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 109 · Location 2383 fact , Microsoft natively built the Databricks Runtime to run in Azure , and Azure Databricks provides many more unique features outside the Databricks platform developed by Databricks . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 113 · Location 2450 The important point to remember is that Databricks works with third - party machine learning frameworks to allow you to build machine learning models . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 119 · Location 2574 You can think of Cognitive Services as SaaS ML models that you can use directly in your ML solutions without the expense of developing your own . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 123 · Location 2629 In a serverless situation , you pay only when your code is running on a VM . When your code’s not running , you don’t pay anything . The concept of serverless computing came about because cloud providers had unused VMs in their data centers and they wanted to monetize them . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 123 · Location 2640 Cognitive Services is an example of a serverless service , but Azure has many other serverless services , many of which don’t fit into the categories we’ve already discussed . They are Azure Functions for serverless compute , Azure Logic Apps for serverless workflows , and Azure Event Grid for serverless event routing . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 131 · Location 2747 workflow simply means that a Logic App reacts to something happening and responds by performing a series of tasks , such as sending an email , transferring data to a database , and so on . It can do these things in order , but it can also do two things ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 137 · Location 2832 The concept of different Azure services interacting with each other should be pretty familiar to you by now . ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 137 · Location 2833 You could use a polling method for this , similar to the Logic App checking against OneDrive every three minutes looking for a change . It’s more efficient , however , to enable an Azure service to trigger an event when something specific happens and configure another Azure service to listen for that event so it can react to it . Event Grid provides that functionality . Both Azure Functions and Azure Logic Apps ### Highlight (yellow) - Skill 3.1: Describe core solutions available in Azure > Page 142 · Location 2911 Azure DevTest Labs solves both problems nicely , and it adds quite a few other features that developers and IT departments will both find to be helpful . ### Highlight (yellow) - Skill 3.2: Describe Azure management tools > Page 160 · Location 3191 Install - Module - Name Az - AllowClobber ### Highlight (yellow) - Skill 3.2: Describe Azure management tools > Page 160 · Location 3201 Connect - AzAccount ### Highlight (yellow) - Skill 3.2: Describe Azure management tools > Page 161 · Location 3211 Set - AzContext - Subscription " subscription\_id " ### Highlight (yellow) - Skill 3.2: Describe Azure management tools > Page 162 · Location 3228 many situations , you will be including PowerShell commands in a script so that you can perform a number of operations at once . In that case , you won’t be able to confirm a command by typing y , so you can use the - Force parameter ### Highlight (yellow) - Skill 3.2: Describe Azure management tools > Page 162 · Location 3239 Azure CLI can be scripted using shell scripts in various languages like Python , Ruby , and so on . Like the PowerShell Az module , the Azure CLI is cross - platform and works on Windows , Linux , and macOS as ### Highlight (yellow) - Skill 3.2: Describe Azure management tools > Page 162 · Location 3256 az resource create - - help ### Highlight (yellow) - Skill 3.2: Describe Azure management tools > Page 162 · Location 3260 Like PowerShell , most commands in the Azure CLI have a - - force parameter that you can include so that no prompts are displayed . When scripting PowerShell or the CLI , you need to include this parameter , or your script won’t work . Watch out for examples in the AZ - 900 exam that test for this kind of knowledge . ### Highlight (yellow) - Skill 3.2: Describe Azure management tools > Page 165 · Location 3290 Cloud Shell , you’ll need to select the environment you want to use . You can choose between Bash and PowerShell , ### Highlight (yellow) - Skill 3.2: Describe Azure management tools > Page 165 · Location 3296 Once the storage account is created , Cloud Shell will launch a session as shown in Figure 3 - 79 . ### Highlight (yellow) - Skill 3.2: Describe Azure management tools > Page 166 · Location 3318 The last button on the toolbar is the Web Preview button . This button allows you to run a web application using the files in the current folder inside of your web browser . This is a powerful tool for developers who might be developing web applications using Cloud Shell . ### Highlight (yellow) - Skill 3.2: Describe Azure management tools > Page 167 · Location 3335 Why would someone want to preview an app in Cloud Shell instead of just debugging it locally ? Many developers write applications that interact with other Azure services , and they might want to debug these applications while they’re running in Azure . For command line developers , this technique in Cloud Shell is a powerful way to enable that . ### Highlight (yellow) - Skill 3.2: Describe Azure management tools > Page 171 · Location 3379 Azure Advisor can offer advice about high availability , security , performance , and cost . ### Highlight (yellow) - Skill 3.2: Describe Azure management tools > Page 174 · Location 3423 Azure Monitor aggregates metrics for Azure services and exposes them in a single interface . You can also create alerts that will notify you or someone else when there are concerns you might want to address . ### Highlight (yellow) - Skill 3.2: Describe Azure management tools > Page 185 · Location 3530 Azure Monitor is geared toward monitoring the cost and performance of your resources and alerting you and others when conditions warrant . Azure Service Health , on the other hand , is the single - point - of - truth for information on the health of Azure itself and how Azure incidents are affecting your resources . ### Highlight (yellow) - Chapter summary > Page 189 · Location 3632 Here’s a summary of what this chapter covered . ## Chapter 4. Describe general security and network security features ### Highlight (yellow) - Skill 4.1: Describe Azure security features > Page 192 · Location 3708 Free tier The free tier provides general assessment and recommendations for securing your Azure resources and also provides a secure score showing you the overall security of your resources . Azure Defender tier The Azure Defender tier adds functionality for securing VMs , applications , and networks . It also offers additional features such as advanced threat detection , analysis from Microsoft Threat Intelligence , the ability to manage the regulatory compliance of your Azure resources , and Microsoft Defender for Endpoint for your servers . The Azure Defender tier is billed by the hour , and full details on pricing can be found at https : / / azure.microsoft.com / en - us / pricing / details / security - center . ### Highlight (yellow) - Skill 4.1: Describe Azure security features > Page 197 · Location 3773 Keeping encryption keys in an HSM boundary is required for Federal Information Processing Standard ( FIPS ) 140 - 2 , so companies that need to maintain compliance with FIPS 140 - 2 can do so by using the Premium tier of Key Vault . ### Highlight (yellow) - Skill 4.1: Describe Azure security features > Page 200 · Location 3805 Azure Disk Encryption is enabled on your VMs using Azure PowerShell , the Azure command - line interface ( CLI ) , or an ARM template ### Highlight (yellow) - Skill 4.1: Describe Azure security features > Page 200 · Location 3807 In order to enable encryption and store the keys in Key Vault , your VMs and Key Vault must be in the same Azure subscription , and they must be in the same Azure region ### Highlight (yellow) - Skill 4.1: Describe Azure security features > Page 205 · Location 3864 Playbooks use Logic Apps for their workflows . ### Highlight (yellow) - Skill 4.1: Describe Azure security features > Page 207 · Location 3887 In a nondedicated host scenario , Microsoft will apply updates to the host computer at a time of their choosing . With Azure Dedicated Hosts , you can choose a window of time for updates to be applied to your host computer . This allows you more control over any brief periods of impact an update might cause to your VMs . Azure Dedicated Hosts run inside of a host group that you create inside of an Azure region ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 208 · Location 3920 A Network Security Group ( NSG ) allows you to filter traffic on your network and apply rules on that traffic ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 209 · Location 3943 Rules with a lower priority take precedence over rules with a higher priority . ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 209 · Location 3948 The default rules that Azure applies to all NSGs have a priority in the 65,000 range . This prevents the default rules from ever overriding an explicit rule that you create , and it makes it easier for you to override the default rules if needed . ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 212 · Location 3987 The flow record is no longer in effect once traffic stops flowing for a few minutes . ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 212 · Location 3990 service tag is a special identifier created by Microsoft that applies to the Internet or to a specific service type within Azure . For example , if you have some web apps running in Azure App Service , and you want to allow them to communicate with your subnet , you can use the AppService service tag in your inbound rule to allow that . Azure services also have region - specific service tags so that you can allow or deny traffic only from specific regions . ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 213 · Location 4008 Azure Firewall is a PaaS offering in Azure ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 213 · Location 4008 99.95 percent uptime guarantee . Azure Firewall ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 214 · Location 4022 you first remote into the jumpbox VM , and then you remote into the spoke network VM from the jumpbox . This set up is referred to as a hub - and - spoke configuration ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 216 · Location 4043 When you create a firewall during the creation of a virtual network , Azure creates a subnet in the virtual network called AzureFirewallSubnet , and it uses the address space you specify for that subnet . A public IP address is also created for the firewall so that it can be accessed from the Internet ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 216 · Location 4047 In this example , we’re using a jumpbox and JIT access to explain the benefit of Azure Firewall , but a much better approach to remote access for your VMs is to use Azure Bastion because it doesn’t require you to expose a public IP address . Azure Bastion isn’t currently covered in the AZ - 900 exam , but you can find out more about it by browsing to https : / / bit.ly / az900 - azurebastion . ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 216 · Location 4053 To send traffic to your firewall , you need to create a route table . A route table is an Azure resource that is associated with a subnet , and it contains rules ( called routes ) that define how network traffic in the subnet is handled . ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 219 · Location 4095 There are three types of rule collections available in Azure Firewall . NAT Rule Collection Network address translation ( NAT ) rules are used to forward traffic from the firewall to another device on the network . Network Rule Collection These are rules that allow traffic on specific IP address ranges and ports that you specify . Application Rules Collection Application rules are used to allow applications , such as Windows Update , to communicate across your network . Also , they can be used to allow particular domain names such as azure.com and microsoft.com . ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 219 · Location 4107 If there isn’t a network rule that applies to the traffic , the application rules are applied . ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 220 · Location 4120 When you enable threat intelligence , you can choose to have Azure alert you if traffic from a known - malicious IP address or domain name attempts to enter your network . Also , you can choose to have the traffic denied by the firewall automatically , as shown in Figure 4 - 36 . ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 221 · Location 4138 The DDoS Standard tier applies only to IPv6 public IP addresses . The Standard tier is targeted at enterprise customers and is billed at $ 2,994 per month , ### Highlight (yellow) - Skill 4.2: Describe Azure network security > Page 222 · Location 4158 Once you’ve configured any alerts and monitoring for DDoS Protection , you can simulate a DDoS event using a BreakingPoint Cloud account available at : https : / / www.ixiacom.com / products / breakingpoint - cloud . This allows you to ensure that your DDoS Protection is protecting you from DDoS attacks . ### Highlight (yellow) - Chapter summary > Page 224 · Location 4202 Here’s a summary of what this chapter covered . ## Chapter 5. Describe identity, governance, privacy, and compliance features ### Highlight (yellow) - Skill 5.1: Describe core Azure identity services > Page 226 · Location 4248 Assuming the user provides the right credentials , that user is authenticated to the application . Once a user is authenticated and begins interacting with an application , additional checks might take place to confirm which actions the user is and isn’t allowed to perform . That process is called authorization ### Highlight (yellow) - Skill 5.1: Describe core Azure identity services > Page 228 · Location 4294 Azure AD B2B ( business - to - business ) collaboration that allows you to add users who don’t belong to your company . So , you can invite other users from outside of your company to be members of your Azure AD . Those users can then be given access to your resources . Users who are not part of your company are called guest users . ### Highlight (yellow) - Skill 5.1: Describe core Azure identity services > Page 231 · Location 4332 Azure AD B2B allows you to invite guest users to your Azure AD from other businesses . Another AD feature called Azure AD B2C allows you to give users access to Azure AD applications by signing in with existing accounts , such as a Facebook or Google account . ### Highlight (yellow) - Skill 5.1: Describe core Azure identity services > Page 231 · Location 4338 All the Azure AD features we’ve covered so far are included in the free version of Azure AD that everyone with an Azure subscription gets . Azure AD has three other pricing tiers that aren’t free : Office 365 apps , Premium P1 , and Premium P2 . If you upgrade to one of the Premium plans , you can enable multifactor authentication for your users . ### Highlight (yellow) - Skill 5.1: Describe core Azure identity services > Page 235 · Location 4403 It’s easier to configure MFA using a Conditional Access policy . Besides ease of use , configuring MFA with Conditional Access also allows you to configure MFA for guest users , something that’s not possible using the site shown in Figure 5 - 10 . ### Highlight (yellow) - Skill 5.1: Describe core Azure identity services > Page 235 · Location 4406 Once a user is required to use MFA , he or she needs to take a second step when logging in to the Azure portal . This can be a prompt from the Microsoft Authenticator app ( available for iOS and Android ) , an SMS message with an access number , a phone call requiring you to enter an access code , or an OAUTH hardware token . ### Highlight (yellow) - Skill 5.1: Describe core Azure identity services > Page 235 · Location 4412 For a device to work with SSO , it must be joined to Azure AD ### Highlight (yellow) - Skill 5.1: Describe core Azure identity services > Page 235 · Location 4420 SSO supports two sign - in methods : password hash synchronization and pass - through authentication ### Highlight (yellow) - Skill 5.2: Describe Azure governance features > Page 237 · Location 4453 There are four elements to RBAC : Security principal The security principal represents an identity . It can be a user , a group , an application ( which is called a service principal ) , or a special AAD entity called a managed identity . A managed identity is how you authorize another Azure service to access your Azure resource . Role A role ( sometimes called a role definition ) is what defines how the security principal can interact with an Azure resource . For example , a role might define that a security principal can read the properties of a resource but cannot create new resources or delete existing resources . Scope The scope defines the level at which the role is applied , and it specifies how much control the security principal has . For example , if the scope is a resource group , the role defines activities that can be performed on all resources in the resource group . ### Highlight (yellow) - Skill 5.2: Describe Azure governance features > Page 237 · Location 4462 Role assignments Roles are assigned to a security principal at a particular scope , and that’s what ultimately defines the level of access for the security principal . ### Highlight (blue) - Skill 5.2: Describe Azure governance features > Page 241 · Location 4514 We talked briefly about service principals earlier as they relate to Azure AD applications . Service principals are security principals that specifically represent applications . A security principal that represents a user is called a user principal . The important thing to remember is that both user principals and service principals are forms of a security principal . ### Highlight (yellow) - Skill 5.2: Describe Azure governance features > Page 241 · Location 4518 RBAC is a great way to control access to an Azure resource , but in cases where you just want to prevent changes to a resource , or prevent that resource from being deleted , resource locks ( or locks ) are a simpler solution . Unlike RBAC , locks apply to everyone with access to the resource . ### Highlight (yellow) - Skill 5.2: Describe Azure governance features > Page 243 · Location 4546 nest locks , and in such situations , the most restrictive lock is the effective lock . For example , if you have a read - only lock on a resource group and a delete lock on a resource in that resource group , the resource will actually have a read - only lock applied to it because a read - only lock is more restrictive . The explicit delete lock will be ineffective . ### Highlight (yellow) - Skill 5.2: Describe Azure governance features > Page 243 · Location 4550 Locks are also inherited by newly created resources . If you apply a delete lock to a resource group and add a new resource to the resource group later , the new resource will automatically inherit the delete lock . ### Highlight (blue) - Skill 5.2: Describe Azure governance features > Page 245 · Location 4578 You can apply a tag to most Azure resources , not just resource groups . It’s also important to understand that by adding a tag to a resource group , you are not adding that tag to the resources within the resource group . If you have a web app in the WebStorefront resource group , that web app does not inherit the tag that is applied to the resource group . ### Highlight (yellow) - Skill 5.2: Describe Azure governance features > Page 247 · Location 4609 Azure Policy makes it easy to impose a full suite of policies by combining them into a group called an initiative . By defining an initiative , you can easily define complex rules that ensure governance of your company’s policies . ### Highlight (yellow) - Skill 5.2: Describe Azure governance features > Page 250 · Location 4633 Six effects are supported in Azure Policy . However , not all effects are available for built - in policies . The effects are : ### Highlight (yellow) - Skill 5.2: Describe Azure governance features > Page 251 · Location 4653 There’s a lot of risk involved if a company fails to plan carefully , and for that reason , many companies will hire someone with deep technical knowledge of the cloud to help in that planning . Hiring that kind of resource can add a lot of additional expense , and it can also add a lot of time to a project . Azure Blueprints is a service that can make the process of deploying to the cloud easier . ### Highlight (yellow) - Skill 5.2: Describe Azure governance features > Page 251 · Location 4658 Items that you add to a blueprint are called artifacts ### Highlight (yellow) - Skill 5.2: Describe Azure governance features > Page 251 · Location 4663 You might be wondering how blueprints differ from ARM templates ### Highlight (yellow) - Skill 5.2: Describe Azure governance features > Page 251 · Location 4665 Azure maintains a connection between the blueprint and the resources that use the blueprint . That allows companies to iterate on blueprints and improve them . It also makes it much easier for a blueprint to evolve with a company’s needs . Also , blueprints are versioned and can be stored in a source - control system , so tracking of blueprints is easy and effective . ### Highlight (yellow) - Skill 5.2: Describe Azure governance features > Page 256 · Location 4733 As you’ve learned , moving to the cloud isn’t as simple as clicking a few buttons in the Azure portal . There’s considerable planning that must take place , but before any of that planning even starts , it’s important to become educated on how to move to the cloud successfully . You need to learn about things such as best practices , how your cloud apps should be architected , the proper way to migrate resources , setting up governance and policies , and so forth . ### Highlight (yellow) - Skill 5.2: Describe Azure governance features > Page 257 · Location 4739 In an effort to share their vast knowledge with customers , Microsoft created the Cloud Adoption Framework for Azure . The Cloud Adoption Framework brings together all the best practices from Microsoft employees , Microsoft partners , and lessons learned from Microsoft customers . All this information is made available in a comprehensive website . All the information from the framework is neatly organized , and you can even download assets such as an infographic to help you visualize the Cloud Adoption Framework . You can access the Cloud Adoption Framework by browsing to https : / / aka.ms / cloudadoptionframework . ### Highlight (yellow) - Skill 5.3: Describe privacy and compliance resources > Page 258 · Location 4772 One way that organizations can ensure they are abiding by the GDPR and other regulations that regulate data , is to maintain compliance with industry - wide standards focused on helping organizations keep information secure . ### Highlight (yellow) - Skill 5.3: Describe privacy and compliance resources > Page 259 · Location 4795 You can access both the OST and the DPA on the Licensing Terms page located at http : / / bit.ly / az900 - licensingterms ### Highlight (yellow) - Skill 5.3: Describe privacy and compliance resources > Page 259 · Location 4797 The Trust Center is a web portal where you can learn all about Microsoft’s approach to security , privacy , and compliance ## Chapter 6. Describe Azure pricing, SLAs, and lifecycles ### Highlight (blue) - Skill 6.1: Describe methods for planning and managing costs > Page 266 · Location 4942 As you’re planning your Azure deployments , you should keep in mind the factors that can affect your costs , such as the resource type , how you purchase the resource , the Azure regions you use , and the billing zone your resources are in . ### Highlight (yellow) - Skill 6.1: Describe methods for planning and managing costs > Page 266 · Location 4944 Azure services are billed according to meters associated with a resource . These meters track how much a specific metric has been used by the resource . For example , there is no charge specifically for an Azure virtual network , and you aren’t charged for network traffic within a virtual network ; however , you are charged per gigabyte for traffic into and out of the virtual network from peered virtual networks ### Highlight (yellow) - Skill 6.1: Describe methods for planning and managing costs > Page 266 · Location 4955 Microsoft’s costs for operating Azure services differ by region , even when those regions are within the same geographic boundary . Therefore , your pricing will differ based on which Azure region you use . For example , a VM deployed to the Central US region will cost more than the same VM deployed to the East US region . ### Highlight (yellow) - Skill 6.1: Describe methods for planning and managing costs > Page 267 · Location 4964 It’s also important to keep in mind that you’re not charged for network traffic into an Azure datacenter , but you are charged for network traffic out of a datacenter . However , your first 5GB of outbound data is free . After that point , you are charged a set amount on a tiered model . ### Highlight (yellow) - Skill 6.1: Describe methods for planning and managing costs > Page 268 · Location 4987 If you regularly find that you use VMs month over month , you can save substantially by using Azure Reservations ### Highlight (yellow) - Thought experiment answers > Page 285 · Location 5264 To get an estimated price on how much their resources will cost , ContosoPharm can use the pricing calculator . ### Highlight (yellow) - Thought experiment answers > Page 285 · Location 5266 To determine how much money ContosoPharm can save by moving to the cloud , the IT director can use the total cost of ownership ( TCO ) calculator ### Highlight (yellow) - Thought experiment answers > Page 286 · Location 5269 To monitor costs in an ongoing way and report on what might be causing them to go over budget , ConsotoPharm can use Azure Cost Management