Microsoft
Beginner
AZ-900
Microsoft Azure Fundamentals
The Microsoft Azure Fundamentals (AZ-900) certification validates foundational knowledge of cloud services and how those services are provided with Microsoft Azure. This exam is designed for candidates who are just beginning to work with cloud-based solutions and services, or who are new to Azure. It serves as an optional first step in learning about cloud services and how those services are provided with Microsoft Azure.
This certification covers three key knowledge areas: Cloud Concepts (25-30%), Azure Architecture and Services (35-40%), and Azure Management and Governance (30-35%). Candidates should understand general cloud concepts including high availability, scalability, elasticity, agility, fault tolerance, and disaster recovery. They should be familiar with core Azure services across compute, networking, storage, and databases, as well as Azure identity, access, and security solutions.
The AZ-900 is ideal for individuals in non-technical roles (sales, purchasing, marketing) as well as technical roles (IT professionals, developers, database administrators) who want to validate their foundational knowledge of cloud services. It requires no prerequisites and serves as a foundation for other Azure certifications.
Updated 2024
Cloud Computing
50
Întrebări
6
Teste Practice
70%
Scor de Trecere
43
Vizualizări
0
Încercări Totale
0%
Scor Mediu
0%
Rată de Promovare
0
Discuții
AZ-900 Practice Exam 1
Comprehensive Azure Fundamentals practice exam covering cloud concepts, Azure architecture and services, and Azure management and governance across 50 questions.
50 Q
65 minute
70%
AZ-900 Practice Exam 2
Azure Fundamentals practice exam with scenario-based questions on cloud models, Azure services, and governance across 50 questions.
50 Q
65 minute
70%
AZ-900 Practice Exam 3
Comprehensive practice exam covering cloud concepts, Azure architecture and services, and Azure management and governance across 50 foundational-level questions.
50 Q
65 minute
70%
AZ-900 Practice Exam 4
Comprehensive practice exam covering cloud concepts, Azure architecture, management and governance, and core Azure services across 50 foundational-level questions.
52 Q
65 minute
70%
AZ-900 Practice Exam 5
Comprehensive practice exam covering Microsoft Azure fundamentals including cloud concepts, Azure architecture, management and governance across 50 foundational-level questions.
50 Q
65 minute
70%
AZ-900 Practice Exam 6
Comprehensive practice exam covering Microsoft Azure fundamentals including cloud concepts, Azure architecture, core services, security, identity, governance, pricing, and support across 50 foundational-level questions.
50 Q
65 minute
70%
Deblochează Tot Conținutul pentru AZ-900
6 Test(e) Practice + Carduri Flash — acces 3 luni
€39.99
€26.99
Economisești 30%
sau inclus cu abonamentul Lunar / Pachet de Conținut
Previzualizare (10 / 120)
What is Azure Cost Management + Billing, and what are its key capabilities for controlling cloud spending?
Azure Cost Management + Billing is a free built-in service that helps you understand your Azure bill, manage your account and subscriptions, monitor and control Azure spending, and optimize resource costs. It provides cost analysis views that let you explore and analyze organizational costs by filtering on tags, resource types, resource groups, subscriptions, and time ranges. You can create custom views, export data, and set budgets with spending thresholds that trigger alerts when costs approach or exceed defined limits.
Cost analysis breaks down spending by service, location, and resource group using charts and tables. You can view accumulated costs over time or daily and monthly cost trends. Budget alerts can be configured to send email notifications or trigger automation through Azure Monitor action groups when spending reaches 50%, 75%, 90%, or 100% of the budgeted amount. Anomaly detection automatically identifies unusual spending patterns and alerts you to investigate unexpected cost increases.
Azure Cost Management also provides recommendations from Azure Advisor for cost optimization, such as right-sizing underutilized virtual machines, purchasing reserved instances for steady-state workloads, or deleting unused resources. For organizations with multiple subscriptions, management groups enable hierarchical cost tracking and budget enforcement across the entire Azure estate.
What is cloud computing and how does it differ from traditional on-premises infrastructure?
Cloud computing is the delivery of computing services such as servers, storage, databases, networking, software, analytics, and intelligence over the internet ("the cloud") on a pay-as-you-go basis. Unlike traditional on-premises infrastructure where organizations purchase, install, and maintain their own hardware in physical data centers, cloud computing shifts these responsibilities to cloud providers like Microsoft Azure. This eliminates large upfront capital expenditures, reduces the time to deploy new resources from weeks or months to minutes, and allows organizations to scale capacity up or down based on actual demand rather than forecasting and pre-provisioning for peak loads.
What are Azure regions and how does Microsoft organize its global infrastructure?
Azure regions are discrete geographic areas containing one or more datacenters connected through a dedicated low-latency network. Each region provides an independent deployment boundary where you can provision resources close to your users for reduced latency. Microsoft operates over 60 Azure regions across more than 140 countries, making it the cloud provider with the most global regions. When you deploy a resource, you select the region where it will be hosted, and that choice affects data residency, available services, and pricing. Not all Azure services are available in every region, so you should verify regional availability before planning deployments.
What is high availability in cloud computing and how does Azure support it?
High availability (HA) refers to the ability of a system to remain operational and accessible with minimal downtime, even when failures occur. Azure supports high availability through redundant infrastructure distributed across multiple physical locations, including Availability Zones within a region and paired regions across geographies. Azure services such as Virtual Machine Scale Sets, Azure Load Balancer, and Azure SQL Database with geo-replication are designed to automatically detect failures and redirect traffic to healthy instances. Service Level Agreements (SLAs) define the guaranteed uptime percentages, typically ranging from 99.9% to 99.999%, depending on the service and its configuration.
What are Azure region pairs and why are they important for disaster recovery?
Azure region pairs are two regions within the same geography that are paired together for disaster recovery and business continuity purposes. Each pair is separated by at least 300 miles to reduce the likelihood of both regions being affected by the same natural disaster or infrastructure failure. When platform-wide updates are rolled out, only one region in a pair is updated at a time to minimize service disruptions. If a broad outage occurs, recovery of one region from each pair is prioritized. Some Azure services like geo-redundant storage automatically replicate data to the paired region. Examples include East US paired with West US, and North Europe paired with West Europe.
What is the Azure Pricing Calculator, and how do you use it to estimate costs for Azure solutions?
The Azure Pricing Calculator is a free web-based tool that lets you estimate the monthly cost of Azure services before you deploy them. You select products from a catalog of all Azure services, configure each product with your expected usage parameters such as region, tier, instance size, hours of operation, and data transfer volume, and the calculator produces an itemized cost estimate. You can build complex multi-service estimates that model an entire solution architecture.
The calculator supports saving and sharing estimates through a unique URL, making it useful for budgeting discussions and proposal development. You can adjust parameters like the operating system, license type (pay-as-you-go versus Azure Hybrid Benefit), support plan, and Dev/Test pricing to see how each factor affects the total cost. The pricing displayed reflects current published rates, though actual costs may vary based on enterprise agreements, discounts, or promotional credits.
Key differences from the TCO Calculator: the Pricing Calculator estimates costs for new Azure deployments by configuring specific Azure services, while the TCO Calculator compares on-premises infrastructure costs against equivalent Azure costs to justify migration. The Pricing Calculator is product-focused and detailed, whereas the TCO Calculator is strategic and comparative. Both tools are free, require no Azure subscription, and are accessible from the Azure website.
What is the Azure Total Cost of Ownership (TCO) Calculator, and how does it help justify cloud migration?
The Azure Total Cost of Ownership (TCO) Calculator estimates the cost savings you can realize by migrating your on-premises workloads to Azure. You define your existing on-premises infrastructure including servers, databases, storage, and networking, and the calculator generates a detailed comparison report showing the projected costs of running those same workloads in Azure versus on-premises over a one-year, three-year, or five-year period.
The calculator accounts for hidden on-premises costs that organizations often overlook, including hardware procurement and refresh cycles, data center facilities such as power, cooling, and rack space, IT labor for administration and maintenance, software licensing, network infrastructure, and disaster recovery. By exposing these total costs alongside the Azure equivalent, the TCO Calculator provides a compelling financial argument for cloud migration.
The output report includes side-by-side cost breakdowns by category such as compute, data center, networking, storage, and IT labor. It also produces charts showing cumulative savings over the selected timeframe. You can adjust assumptions about electricity costs, labor rates, virtualization ratios, and storage utilization to reflect your specific environment. The TCO Calculator does not require an Azure account and is freely available on the Azure website, making it accessible to decision-makers evaluating cloud adoption.
What are Azure sovereign regions and who are they designed for?
Azure sovereign regions are physically and logically isolated instances of Azure that are operated to meet specific government compliance and regulatory requirements. Azure Government is designed for US federal, state, and local government agencies and their partners, with datacenters located exclusively in the United States and operated by screened US personnel. Azure China is operated by 21Vianet, a local Chinese company, to comply with Chinese regulations requiring data to remain within China. These sovereign regions have their own separate portals, identity systems, and compliance certifications, and they are not connected to the public Azure cloud. They ensure that sensitive government and regulated workloads meet strict data residency and sovereignty requirements.
What is scalability in cloud computing and what are the two types of scaling?
Scalability is the ability of a system to handle increased workload by adding resources. There are two types: vertical scaling (scaling up/down) and horizontal scaling (scaling out/in). Vertical scaling increases or decreases the capacity of a single resource, such as upgrading a virtual machine from 4 CPUs to 16 CPUs or adding more memory. Horizontal scaling adds or removes instances of a resource, such as adding more virtual machines behind a load balancer to distribute traffic. Cloud computing makes both types of scaling easier and faster than traditional infrastructure because resources can be provisioned on demand without purchasing physical hardware.
What is elasticity in cloud computing and how does it differ from scalability?
Elasticity is the ability of a cloud system to automatically scale resources up or down in real time based on current demand, and then release those resources when they are no longer needed. While scalability refers to the general capability of a system to grow, elasticity specifically emphasizes the automatic and dynamic nature of that scaling. For example, an e-commerce website might automatically add more compute instances during a flash sale and then remove them once traffic returns to normal. Azure services like Virtual Machine Scale Sets, Azure App Service auto-scale rules, and Azure Functions exemplify elasticity by provisioning and de-provisioning resources without manual intervention.
Carduri Flash
carduri care acoperă concepte cheie 120 AZ-900
sau inclus cu abonamentul Lunar / Pachet de Conținut
110 mai multe carduri disponibile după deblocare
Limbi Disponibile
English
Japanese
Korean
Simplified Chinese
Spanish
French
German
Italian
Portuguese
Bahasa Indonesian
Arabic
Subiecte Examen
1
15 Q
Cloud Concepts
Describe cloud computing, the benefits of using cloud services, and cloud service types.
2
21 Q
Azure Architecture and Services
Describe core Azure architectural components, Azure compute and networking services, and Azure storage services.
3
14 Q
Azure Management and Governance
Describe cost management in Azure, features and tools for governance and compliance, and tools for managing and deploying Azure resources.
AZ-900 Cheat Sheet
Ghid de referință rapidă - 4 secțiuni
Microsoft Azure Fundamentals (AZ-900)
The AZ-900 exam validates your foundational knowledge of cloud concepts, core Azure services, Azure management and governance tools, and Azure pricing and support. This entry-level certification is designed for candidates who are new to cloud computing or Azure and want to demonstrate a broad understanding of the platform. No technical IT experience is required, though general IT knowledge is helpful. The AZ-900 is the starting point of the Microsoft Azure certification path and is a prerequisite for pursuing role-based Azure certifications at the Associate and Expert levels. The exam covers what cloud computing is, why organizations adopt it, and how Azure implements cloud services across compute, networking, storage, databases, identity, security, and governance.
Exam Details
| Exam Code | AZ-900 |
| Duration | 65 minutes |
| Number of Questions | 40-60 questions |
| Passing Score | 700 / 1000 |
| Cost | $99 USD |
| Validity | No expiration (Fundamentals certifications do not expire) |
| Question Types | Multiple choice, multiple select, drag-and-drop, yes/no statement sets |
| Testing Options | Pearson VUE testing center or online proctored |
| Recommended Experience | No prerequisites; general IT knowledge helpful |
| Certification Level | Fundamentals |
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: Describe Cloud Concepts | 25-30% |
| Domain 2: Describe Azure Architecture and Services | 35-40% |
| Domain 3: Describe Azure Management and Governance | 30-35% |
Microsoft Certification Path
The AZ-900 is the Fundamentals-level certification in the Microsoft Azure certification track. It provides a broad foundation for understanding Azure cloud services and is the recommended starting point before pursuing role-based certifications. After earning AZ-900, candidates can progress to Associate-level certifications such as AZ-104 (Azure Administrator), AZ-204 (Azure Developer), AZ-500 (Azure Security Engineer), DP-300 (Azure Database Administrator), or AZ-700 (Azure Network Engineer). From there, Expert-level certifications include AZ-305 (Azure Solutions Architect Expert) and AZ-400 (Azure DevOps Engineer Expert). There are also Specialty certifications for niche areas like AI, IoT, and SAP workloads.
Unlike Associate and Expert certifications, Fundamentals certifications do not expire and never require renewal. The exam is suitable for non-technical professionals including sales, procurement, and management roles who need to understand cloud terminology and Azure capabilities. It is also frequently offered for free at Microsoft-sponsored events and virtual training days.
Study Tips
- Domain 2 (Azure Architecture and Services) carries the heaviest weight at 35-40%; dedicate the most study time to understanding core compute, networking, storage, and identity services
- Focus on understanding concepts rather than memorizing CLI commands; AZ-900 tests what services do and when to use them, not how to configure them at a technical level
- Know the differences between IaaS, PaaS, and SaaS cold; be able to classify any Azure service into the correct service model and understand the shared responsibility implications
- Understand the Azure resource hierarchy thoroughly: management groups contain subscriptions, subscriptions contain resource groups, and resource groups contain resources; this hierarchy is tested frequently
- Cost management questions are common; know how Azure Reservations, Spot VMs, Hybrid Benefit, and the Pricing Calculator work together to optimize spending
- Microsoft Entra ID (formerly Azure Active Directory) is a key topic; understand authentication, authorization, MFA, Conditional Access, and SSO at a conceptual level
- Practice with the free Microsoft Learn modules; they cover every AZ-900 domain and include hands-on sandboxes for exploring Azure services without cost
Exam Day Checklist
- Arrive 15 minutes early for testing center or start your online proctored check-in 30 minutes before the scheduled time
- Bring two forms of valid identification (one with photo) for testing center; clear your workspace for online proctoring
- You have 65 minutes for 40-60 questions, giving you approximately 1-1.5 minutes per question
- Some question sets cannot be revisited once answered (yes/no statement blocks); read these carefully before confirming
- Your score is calculated on a scale of 100-1000; you need 700 to pass
- Results are available immediately after completing the exam; your score report shows performance by domain area
- If you do not pass, you can retake after 24 hours; there is no limit on the number of attempts
- Request accommodations in advance if English is not your first language (extra 30 minutes available for non-native speakers)
Benefits of Cloud Computing
| Benefit | Description |
|---|---|
| High Availability | Resources remain accessible even during failures; Azure guarantees uptime through SLAs (e.g., 99.99% for multi-region deployments); achieved through redundancy across availability zones and regions |
| Scalability | Ability to add or remove resources to match demand; vertical scaling (scale up/down) adds more CPU/RAM to existing resources; horizontal scaling (scale out/in) adds or removes instances |
| Elasticity | Automatic scaling based on real-time demand; resources expand during peak usage and contract during low usage; ensures you never over-provision or under-provision; closely related to auto-scaling features |
| Agility | Ability to deploy and configure cloud resources quickly; new environments can be provisioned in minutes rather than weeks; enables rapid experimentation and iteration on solutions |
| Disaster Recovery | Ability to recover from catastrophic failures using geo-distributed backups and replication; Azure Site Recovery, geo-redundant storage, and multi-region architectures minimize data loss and downtime |
| Fault Tolerance | System continues operating correctly even when components fail; built-in redundancy at hardware, network, and software levels; availability zones provide independent power, cooling, and networking within a region |
Cloud Service Types Comparison
| Aspect | IaaS | PaaS | SaaS |
|---|---|---|---|
| Definition | Infrastructure as a Service; rent raw compute, storage, and networking | Platform as a Service; managed platform for deploying applications | Software as a Service; fully managed software accessible via browser |
| Azure Examples | Azure Virtual Machines, Azure Disk Storage, Azure Virtual Network | Azure App Service, Azure SQL Database, Azure Functions | Microsoft 365, Dynamics 365, Microsoft Teams |
| You Manage | OS, runtime, middleware, applications, data | Applications and data only | Data and access configuration only |
| Cloud Provider Manages | Physical hardware, network, hypervisor | Physical hardware, network, OS, runtime, middleware | Everything (full stack) |
| Flexibility | Most flexible; full control over infrastructure | Moderate; focus on app development without managing infrastructure | Least flexible; limited to application configuration |
| Use Case | Lift-and-shift migrations, custom environments, dev/test | Web apps, APIs, microservices, analytics pipelines | Email, collaboration, CRM, ERP |
Shared Responsibility Model
The shared responsibility model defines which security tasks are handled by the cloud provider and which are the customer's responsibility. The division shifts depending on the service type (IaaS, PaaS, or SaaS).
| Responsibility | IaaS | PaaS | SaaS |
|---|---|---|---|
| Information & Data | Customer | Customer | Customer |
| Devices (Mobile & PCs) | Customer | Customer | Customer |
| Accounts & Identities | Customer | Customer | Customer |
| Identity & Directory Infrastructure | Customer | Shared | Shared |
| Applications | Customer | Shared | Microsoft |
| Network Controls | Customer | Shared | Microsoft |
| Operating System | Customer | Microsoft | Microsoft |
| Physical Hosts / Network / Datacenter | Microsoft | Microsoft | Microsoft |
Key Takeaway: The customer is always responsible for their data, devices, and accounts regardless of cloud service type. As you move from IaaS to PaaS to SaaS, more responsibility shifts to the cloud provider. Physical infrastructure is always Microsoft's responsibility.
Cloud Deployment Models
| Model | Description | Pros | Cons |
|---|---|---|---|
| Public Cloud | Resources owned and operated by a third-party cloud provider (e.g., Azure); delivered over the internet; shared infrastructure across multiple tenants | No capital expenditure; pay-as-you-go; rapid provisioning; global scale; no hardware maintenance | Less control over infrastructure; potential compliance challenges; shared tenancy concerns |
| Private Cloud | Cloud environment dedicated to a single organization; can be hosted on-premises or by a third party; organization has full control | Complete control; full customization; meets strict regulatory and compliance requirements; dedicated resources | Higher cost; requires IT expertise to maintain; less elastic; hardware procurement delays |
| Hybrid Cloud | Combination of public and private clouds connected together; allows data and applications to move between environments; provides maximum flexibility | Best of both worlds; keep sensitive workloads on-premises; burst to public cloud for peak demand; gradual migration path | Complex to set up and manage; requires network integration; potential latency between environments |
CapEx vs OpEx
| Aspect | Capital Expenditure (CapEx) | Operational Expenditure (OpEx) |
|---|---|---|
| Definition | Upfront spending on physical infrastructure | Ongoing spending on services and products as needed |
| Payment Model | Large upfront investment; depreciated over time | Pay-as-you-go; billed monthly based on usage |
| Examples | Buying servers, storage arrays, network equipment, building data centers | Azure VM usage, storage consumption, bandwidth charges, SaaS subscriptions |
| Cloud Relevance | Traditional on-premises model; private cloud | Public cloud model; consumption-based pricing |
Exam Tip: Cloud computing shifts spending from CapEx to OpEx. The consumption-based model means you only pay for what you use, there is no wasted capacity, and you can stop paying for resources you no longer need. This is one of the most frequently tested concepts on AZ-900.
Consumption-Based Pricing Model
- No upfront costs: No need to purchase and manage costly infrastructure before you need it; eliminates the risk of over-provisioning or under-provisioning
- Pay for what you use: Billing is based on actual consumption of compute, storage, and network resources; stop using a resource and billing stops immediately
- Stop paying when you stop using: Deallocate or delete resources to eliminate charges; no ongoing maintenance costs for idle infrastructure
- Predictable costs with budgets: Azure Cost Management allows setting budgets and alerts to prevent unexpected spending; tags help track costs by department, project, or environment
- Economies of scale: Cloud providers purchase hardware at massive scale, passing savings to customers; costs decrease over time as providers optimize their infrastructure and pass efficiencies forward
Azure Global Infrastructure
| Concept | Description |
|---|---|
| Regions | 60+ geographic locations worldwide; each region contains one or more data centers connected with low-latency networking; you choose a region to deploy resources close to your users for performance and to meet data residency requirements |
| Availability Zones | Physically separate data centers within an Azure region; each zone has independent power, cooling, and networking; minimum of 3 zones per enabled region; protects against data center-level failures; provides 99.99% VM SLA when deployed across zones |
| Region Pairs | Each Azure region is paired with another region within the same geography (at least 300 miles apart); provides automatic replication for some services; during widespread outages, one region from each pair is prioritized for recovery; platform updates are rolled out sequentially across pairs |
| Sovereign Regions | Isolated Azure instances for specific government or compliance needs; Azure Government (US) and Azure China (21Vianet) are physically and logically separated from the main Azure network |
Azure Resource Hierarchy
| Level | Description | Key Facts |
|---|---|---|
| Management Groups | Top-level containers that organize subscriptions into a hierarchy | Up to 6 levels of depth; policies and RBAC applied here inherit down to all subscriptions and resources below; root management group exists by default |
| Subscriptions | Billing boundary and access control boundary for Azure resources | Each subscription gets a separate bill; common to create separate subscriptions for dev/test/prod or for different departments; resource limits are per subscription |
| Resource Groups | Logical containers that hold related Azure resources | Every resource must belong to exactly one resource group; cannot be nested; deleting a resource group deletes all resources inside; resources in a group can span different regions |
| Resources | Individual Azure services you create and use (VMs, databases, storage accounts, etc.) | The actual building blocks; each resource has a unique resource ID; can be moved between resource groups; supports tagging for organization |
Compute Services
| Service | Type | Description & Use Case |
|---|---|---|
| Azure Virtual Machines | IaaS | Full control over OS and software; ideal for lift-and-shift migrations; supports Windows and Linux; scale sets for auto-scaling groups of identical VMs |
| Azure App Service | PaaS | Fully managed platform for web apps, APIs, and mobile backends; supports .NET, Java, Node.js, Python, PHP; built-in auto-scaling, CI/CD integration, and custom domains |
| Azure Container Instances | PaaS | Run containers without managing servers; fastest and simplest way to run a container in Azure; per-second billing; ideal for simple containerized workloads and burst scenarios |
| Azure Kubernetes Service (AKS) | PaaS | Managed Kubernetes container orchestration; handles complex multi-container architectures; auto-scaling, self-healing, load balancing; free control plane, pay only for worker nodes |
| Azure Functions | PaaS (Serverless) | Event-driven, serverless compute; runs code in response to triggers (HTTP, timer, queue, blob); pay only per execution; auto-scales to zero; ideal for microservices and automation tasks |
| Azure Virtual Desktop | IaaS/PaaS | Desktop and app virtualization in the cloud; multi-session Windows 11/10; integrates with Microsoft 365; ideal for remote work, BYOD, and secure access to corporate applications |
Networking Services
| Service | Description & Use Case |
|---|---|
| Azure Virtual Network (VNet) | Fundamental building block for private networks in Azure; enables Azure resources to communicate securely with each other, the internet, and on-premises networks; uses subnets to segment the address space; VNet peering connects VNets across regions |
| Azure VPN Gateway | Sends encrypted traffic between Azure VNets and on-premises networks over the public internet (site-to-site) or from individual devices (point-to-site); uses IPsec/IKE protocols; cost-effective hybrid connectivity option |
| Azure ExpressRoute | Private dedicated connection between on-premises and Azure that does not traverse the public internet; provides higher bandwidth (up to 100 Gbps), lower latency, and more reliability than VPN; established through a connectivity provider |
| Azure Load Balancer | Layer 4 (TCP/UDP) load balancer; distributes incoming traffic across VMs; supports both public (internet-facing) and internal (private) load balancing; health probes detect unhealthy instances |
| Azure Application Gateway | Layer 7 (HTTP/HTTPS) load balancer; URL-based routing, SSL termination, cookie-based session affinity; includes Web Application Firewall (WAF) for OWASP protection |
| Azure Front Door | Global Layer 7 load balancer with CDN, WAF, and DDoS protection; routes users to the nearest application backend; SSL offloading and URL-based routing at the global edge |
| Azure CDN | Content Delivery Network; caches static content at edge locations worldwide; reduces latency by serving content from the nearest point of presence (POP) to the user |
| Azure Firewall | Managed cloud-based network security service; stateful firewall as a service; built-in high availability; supports application and network-level filtering rules; integrates with Azure Monitor for logging |
| Network Security Groups (NSG) | Filter network traffic to and from Azure resources in a VNet; contain inbound and outbound security rules based on source/destination IP, port, and protocol; applied to subnets or individual NICs |
| Azure DDoS Protection | Basic tier included free with all Azure services; Standard tier provides enhanced mitigation for VNet resources with adaptive tuning, attack analytics, and cost protection guarantees |
Storage Services
| Service | Description |
|---|---|
| Azure Blob Storage | Object storage for unstructured data (images, videos, documents, backups); three blob types: Block blobs (files up to 190.7 TB), Append blobs (optimized for append operations like logging), Page blobs (random read/write, used for VM disks) |
| Azure Files | Fully managed file shares accessible via SMB and NFS protocols; can be mounted by cloud or on-premises deployments; replaces or supplements on-premises file servers; supports Azure File Sync for caching |
| Azure Table Storage | NoSQL key-value store for semi-structured data; massively scalable; ideal for flexible datasets like user data, address books, and device information; schemaless design |
| Azure Queue Storage | Message queuing for asynchronous communication between application components; each queue can hold millions of messages (up to 64 KB each); enables decoupling of frontend and backend processing |
Storage Access Tiers
| Tier | Access Pattern | Storage Cost | Access Cost | Use Case |
|---|---|---|---|---|
| Hot | Frequently accessed | Highest | Lowest | Active data, web content, data in active processing |
| Cool | Infrequently accessed (stored 30+ days) | Lower | Higher | Short-term backups, older data still occasionally accessed |
| Cold | Rarely accessed (stored 90+ days) | Even lower | Even higher | Long-term data retention with rare access needs |
| Archive | Rarely accessed (stored 180+ days) | Lowest | Highest (hours to rehydrate) | Long-term compliance, regulatory archives; data must be rehydrated before access (takes hours) |
Storage Redundancy Options
| Redundancy | Copies | Scope | Durability (nines) |
|---|---|---|---|
| LRS (Locally Redundant) | 3 copies | Single data center in one region | 11 nines (99.999999999%) |
| ZRS (Zone Redundant) | 3 copies | Across 3 availability zones in one region | 12 nines (99.9999999999%) |
| GRS (Geo-Redundant) | 6 copies | 3 in primary region (LRS) + 3 in secondary region (LRS) | 16 nines (99.99999999999999%) |
| RA-GRS (Read-Access Geo-Redundant) | 6 copies | Same as GRS + read access to secondary region | 16 nines |
| GZRS (Geo-Zone-Redundant) | 6 copies | 3 across zones in primary (ZRS) + 3 in secondary (LRS) | 16 nines |
| RA-GZRS (Read-Access Geo-Zone-Redundant) | 6 copies | Same as GZRS + read access to secondary region | 16 nines; highest availability and durability |
Database Services
| Service | Type | Description |
|---|---|---|
| Azure Cosmos DB | NoSQL (Multi-model) | Globally distributed, multi-model database; supports document, key-value, graph, and column-family data models; single-digit millisecond latency; 99.999% SLA for multi-region; five consistency levels |
| Azure SQL Database | Relational (PaaS) | Fully managed SQL Server database engine; built-in intelligence for performance tuning; automatic backups, patching, and high availability; serverless compute tier available |
| Azure Database for PostgreSQL | Relational (PaaS) | Managed PostgreSQL with built-in HA; Flexible Server deployment option; supports extensions and community PostgreSQL |
| Azure Database for MySQL | Relational (PaaS) | Managed MySQL with built-in HA and automated backups; Flexible Server deployment option; community MySQL compatible |
Identity and Access
| Concept | Description |
|---|---|
| Microsoft Entra ID (Azure AD) | Cloud-based identity and access management service; provides authentication and authorization for Azure resources, Microsoft 365, and thousands of SaaS applications; supports users, groups, service principals, and managed identities; formerly known as Azure Active Directory |
| Multi-Factor Authentication (MFA) | Requires two or more verification methods: something you know (password), something you have (phone/token), something you are (biometrics); dramatically reduces risk of compromised accounts |
| Conditional Access | Policy-based access control that evaluates signals (user, location, device, application, risk level) and enforces access decisions (allow, block, or require MFA); if-then policy engine for Zero Trust security |
| Single Sign-On (SSO) | Users authenticate once and access multiple applications without re-entering credentials; reduces password fatigue; supports SAML, OAuth, and OpenID Connect protocols; simplifies the user experience |
| Azure Marketplace | Online store for purchasing and deploying third-party solutions certified to run on Azure; includes virtual machine images, SaaS applications, developer tools, and consulting services; solutions are billed through the Azure subscription |
Cost Management Tools
| Tool | Purpose | Key Features |
|---|---|---|
| Azure Cost Management | Monitor, analyze, and optimize Azure spending | Cost analysis dashboards, budget alerts, recommendations, export data to storage; included free with Azure subscriptions |
| Azure Pricing Calculator | Estimate costs before deploying resources | Configure Azure services and see estimated monthly costs; adjust regions, tiers, and quantities; share and export estimates; does NOT show actual usage costs |
| Total Cost of Ownership (TCO) Calculator | Compare on-premises costs vs Azure costs | Input current on-premises infrastructure details; generates a comparison report showing potential savings over 1-5 years when migrating to Azure; useful for business cases |
Cost Optimization Strategies
| Strategy | Description | Savings |
|---|---|---|
| Azure Reservations | Commit to 1 or 3-year term for VMs, databases, and other services; significant discount vs pay-as-you-go pricing | Up to 72% savings |
| Azure Spot VMs | Use unused Azure capacity at steep discounts; VMs can be evicted when Azure needs the capacity back; ideal for fault-tolerant workloads like batch processing, dev/test, and rendering | Up to 90% savings |
| Azure Hybrid Benefit | Use existing on-premises Windows Server or SQL Server licenses with Software Assurance in Azure; avoid paying for the license component again in the cloud | Up to 85% savings (combined with Reservations) |
| Right-sizing | Select the appropriate VM size and service tier for your workload; Azure Advisor provides recommendations to resize or shut down underutilized resources | Varies; eliminates waste from over-provisioning |
Management Tools
| Tool | Type | Description |
|---|---|---|
| Azure Portal | GUI (Web) | Web-based graphical interface for managing all Azure resources; intuitive visual dashboards; customizable; best for exploring and learning Azure; no installation required |
| Azure CLI | CLI | Cross-platform command-line tool using Bash-style commands (e.g., az vm create); available on Windows, macOS, Linux; scriptable for automation; ideal for developers comfortable with Bash |
| Azure PowerShell | CLI | PowerShell module for managing Azure resources using cmdlets (e.g., New-AzVM); available on Windows, macOS, Linux via PowerShell Core; preferred by Windows administrators |
| Azure Cloud Shell | Browser-based CLI | Browser-accessible shell with pre-installed Azure CLI and PowerShell; requires an Azure storage account for persistence; no local installation needed; available directly from the Azure Portal |
| ARM Templates | IaC (JSON) | Azure Resource Manager templates written in JSON; declarative Infrastructure as Code; define what resources to deploy without specifying the step-by-step process; idempotent deployments; version-controllable |
| Bicep | IaC (DSL) | Domain-specific language that compiles to ARM templates; simpler and more readable syntax than JSON; native Azure IaC tool; modules for reusability; transparent compilation to standard ARM |
Governance Tools
| Tool | Description |
|---|---|
| Azure Policy | Enforce organizational standards and assess compliance at scale; create policy definitions that define rules (e.g., allowed VM sizes, required tags, allowed regions); policy effects include Deny (block non-compliant resources), Audit (log non-compliance), Append (add configurations), and DeployIfNotExists (auto-remediate by deploying missing resources); policies can be grouped into initiatives |
| Azure Blueprints | Package of ARM templates, policies, RBAC assignments, and resource groups into a repeatable, auditable deployment; enables quick provisioning of governed environments; maintains relationship between blueprint and deployed resources for tracking and auditing |
| Resource Locks | Prevent accidental modification or deletion of critical resources; two lock types: CanNotDelete (can read and modify but cannot delete) and ReadOnly (can read only, cannot modify or delete); locks are inherited from parent scopes; even Owners must remove the lock before performing the blocked action |
Role-Based Access Control (RBAC)
| Built-in Role | Permissions |
|---|---|
| Owner | Full access to all resources including the ability to assign roles to others via RBAC; highest privilege level |
| Contributor | Can create and manage all types of Azure resources but cannot grant access to others; same as Owner minus RBAC management |
| Reader | Can view existing Azure resources but cannot make any changes or grant access; read-only access |
Scope Levels: RBAC roles can be assigned at four levels, and permissions inherit downward: Management Group → Subscription → Resource Group → Resource. A role assigned at the subscription level applies to all resource groups and resources within that subscription.
Tags
- Purpose: Key-value pairs attached to resources for organizing, categorizing, and tracking costs; examples include Environment:Production, Department:Finance, CostCenter:12345, Owner:TeamAlpha
- No Inheritance: Tags are NOT inherited from parent scopes; a tag on a resource group is NOT automatically applied to resources within it; use Azure Policy to enforce tagging rules and auto-apply tags
- Best Practices: Define a consistent tagging strategy; use Azure Policy to require specific tags on resources; tags are essential for cost allocation, operational management, and compliance reporting
- Limits: Each resource can have up to 50 tag name-value pairs; tag names are limited to 512 characters; tag values are limited to 256 characters (128 for storage accounts)
Monitoring Services
| Service | Description |
|---|---|
| Azure Monitor | Comprehensive monitoring platform for collecting, analyzing, and acting on telemetry; collects metrics (numerical time-series data) and logs (detailed diagnostic data); set up alerts to notify or auto-remediate based on conditions; visualize data with dashboards and workbooks |
| Application Insights | Application performance management (APM) feature of Azure Monitor; monitors live web applications; detects performance anomalies, request failures, and dependency issues; provides application map, smart detection, and usage analytics |
| Log Analytics | Tool within Azure Monitor for writing and running log queries using Kusto Query Language (KQL); query data from Azure Monitor logs, Application Insights, and other sources; essential for troubleshooting and deep analysis |
| Azure Service Health | Personalized dashboard showing the health of Azure services affecting your resources; three components: Azure Status (global Azure health), Service Health (services and regions you use), and Resource Health (health of your specific resources); set up alerts for incidents and planned maintenance |
Azure Advisor
Azure Advisor is a free, personalized cloud consultant that analyzes your Azure usage and provides actionable recommendations across five pillars:
| Pillar | Example Recommendations |
|---|---|
| Reliability | Enable soft delete on key vaults; add availability zones to VMs; configure geo-redundancy for critical databases |
| Security | Enable MFA for all users; remediate security vulnerabilities; configure NSG rules to restrict access; powered by Microsoft Defender for Cloud recommendations |
| Cost | Right-size or shut down underutilized VMs; purchase reservations for consistent workloads; delete unattached disks and unused public IPs |
| Operational Excellence | Create service health alerts; configure diagnostic settings; follow Azure deployment best practices; fix subscription-level configuration issues |
| Performance | Optimize SQL database performance; improve application load times; use caching where appropriate; upgrade to premium storage for high-IOPS workloads |
Compliance and Security
| Service / Resource | Description |
|---|---|
| Microsoft Trust Center | Central resource for information about Microsoft's security, privacy, and compliance practices; details how Microsoft protects data; documents compliance certifications (ISO, SOC, GDPR, HIPAA, etc.) |
| Microsoft Purview | Unified data governance and compliance platform; data catalog for discovering and classifying data assets across your entire data estate; sensitivity labels, data loss prevention, and information protection; formerly Azure Purview |
| Microsoft Defender for Cloud | Cloud security posture management (CSPM) and cloud workload protection platform (CWPP); provides secure score to measure security posture; continuous assessment and security recommendations; threat protection for Azure, hybrid, and multi-cloud resources |
Service Level Agreements (SLA) Reference
| SLA Percentage | Downtime per Year | Downtime per Month |
|---|---|---|
| 99.9% | 8.76 hours | 43.8 minutes |
| 99.95% | 4.38 hours | 21.9 minutes |
| 99.99% | 52.56 minutes | 4.38 minutes |
| 99.999% | 5.26 minutes | 26.3 seconds |
- Composite SLA: When combining multiple services, multiply their SLAs together; for example, 99.9% x 99.9% = 99.8%; adding more components generally decreases the composite SLA
- Increasing SLA: Add redundancy and failover to increase overall availability; deploying across availability zones or regions improves the composite SLA by reducing single points of failure
- Free services have no SLA: Services with no SLA include Azure Advisor, Azure Policy, Azure DevTest Labs free tier, and preview services; free-tier services do not guarantee uptime
- SLA Credits: If Azure fails to meet the guaranteed SLA, customers can claim service credits as a percentage of their monthly bill; higher downtime results in higher credit percentages