AZ-900 - Terms

stateful (the default) Functions

(called Durable Functions), a context is passed through the function to track prior activity.

Azure Virtual Desktop

A *desktop and application virtualization service* that runs on the cloud. It enables your users to use a cloud-hosted version of Windows from any location via a WEB browser. Azure Virtual Desktop works with devices like Windows, Mac, iOS, Android, and Linux. - Supports individual ownership through personal desktops. - You can use your licenses. - Simplified management.

Azure Blobs

A massively scalable object store for text and binary data. is an object storage solution for the cloud. It can store massive amounts of data, such as text or binary data. is unstructured, meaning that there are no restrictions on the kinds of data it can hold. can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files, and can be reached from anywhere with an internet connection.

Azure Queues

A messaging store for reliable messaging between application components.

Azure DNS

Allows you to host your DNS domains in Azure. It provides the ability to create and manage the DNS records for your domain and provides name servers, which answer DNS queries for your domain from other users on the Internet. you can manage your DNS records using the same credentials, APIs, tools, and billing as your other Azure services

Device management

Along with accounts for individual people, Azure AD supports the registration of devices. Registration enables devices to be managed through tools like Microsoft Intune. allows for device-based Conditional Access policies to restrict access attempts to only those coming from known devices, regardless of the requesting user account.

Azure Web Apps

App Service includes full support for hosting web apps by using ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python. You can choose either Windows or Linux as the host operating system.

Familiar programmability

Applications running in Azure can access data in the share via file system I/O APIs. Developers can therefore leverage their existing code and skills to migrate existing applications. In addition to System IO APIs, you can use Azure Storage Client Libraries or the Azure Storage REST API.

Archive access tier

Appropriate for data that is rarely accessed and stored for at least 180 days, with flexible latency requirements (for example, long-term backups).

Stores data offline and offers the lowest storage costs

Archive storage

Azure AD provides services such as

Authentication Single sign-on Application management Device management

Azure Container Instances

Azure Container Instances offers the fastest and simplest way to run a container in Azure without having to manage any virtual machines or adopt any additional services. It is a PaaS offering that allows you to upload your containers, which it will run for you

Resiliency

Azure Files has been built from the ground up to always be available. Replacing on-premises file shares with Azure Files means you don't have to wake up in the middle of the night to deal with local power outages or network issues.

Defender for Cloud helps you detect threats across

Azure PaaS services Azure data services Networks

Access control boundary

Azure applies access-management policies at the subscription level, and you can create separate subscriptions to reflect different organizational structures. An example is that within a business, you have different departments to which you apply distinct Azure subscription policies. This billing model allows you to manage and control access to the resources that users provision with specific subscriptions.

Fully managed

Azure file shares can be created without the need to manage hardware or an OS. This means you don't have to deal with patching the server OS with critical security upgrades or replacing faulty hard disks.

Shared access

Azure file shares support the industry standard SMB and NFS protocols, meaning you can seamlessly replace your on-premises file shares with Azure file shares without worrying about application compatibility.

There are two types of subscription boundaries that you can use

Billing boundary Access control boundary

Azure Disks

Block-level storage volumes for Azure VMs.

Active/standby

By default, VPN gateways are deployed as two instances in an active/standby configuration. the standby instance automatically assumes responsibility for connections without any user intervention.

Fault Domain

By default, an availability set will split your VMs across up to three fault domains. This helps protect against a physical power or networking failure by having VMs in different fault domains (thus being connected to different power and networking resources).

ExpressRoute supports four models that you can use to connect your on-premises network to the Microsoft cloud:

CloudExchange colocation Point-to-point Ethernet connection Any-to-any connection Directly from ExpressRoute sites

Business to business (B2B) collaboration

Collaborate with external users by letting them use their preferred identity to sign-in to your Microsoft applications or other enterprise applications (SaaS apps, custom-developed apps, etc.). B2B collaboration users are represented in your directory, typically as guest users.

Use a route-based VPN gateway if you

Connections between virtual networks Point-to-site connections Multisite connections Coexistence with an Azure ExpressRoute gateway

geo-zone-redundant storage (GZRS)

Copies your data synchronously across three Azure availability zones in the primary region using ZRS. It then copies your data asynchronously to a single physical location in the secondary region. Within the secondary region, your data is copied synchronously three times using LRS.

Can tolerate slightly lower availability

Data in the cool access tie

Defender for Cloud - Azure PaaS services

Detect threats targeting Azure services including Azure App Service, Azure SQL, Azure Storage Account, and more data services. You can also perform anomaly detection on your Azure activity logs using the native integration with Microsoft Defender for Cloud Apps

Build-in redundancy

Each connectivity provider uses redundant devices to ensure that connections established with Microsoft are highly available. You can configure multiple circuits to complement this feature.

You might choose to create additional subscriptions to separate

Environments Organizational structures Billing

B2B direct connect

Establish a mutual, two-way trust with another Azure AD organization for seamless collaboration. B2B direct connect currently supports Teams shared channels, enabling external users to access your resources from within their home instances of Teams. B2B direct connect users aren't represented in your directory, but they're visible from within the Teams shared channel and can be monitored in Teams admin center reports.

ExpressRoute failover

ExpressRoute circuits have resiliency built in. In high-availability scenarios, where there's risk associated with an outage of an ExpressRoute circuit, you can also provision a VPN gateway that uses the internet as an alternative method of connectivity.

Dynamic Routing

ExpressRoute uses the BGP. BGP is used to exchange routes between on-premises networks and resources running in Azure.

Azure Storage offers different access tiers for your blob storage

Hot access tier Cool access tier Archive access tier

Can be set at the blob level, during or after upload.

Hot, cool, and archive tiers

Route-based gateways

IPSec tunnels are modeled as a network interface or virtual tunnel interface. IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel interfaces to use when sending each packet. Route-based VPNs are the preferred connection method for on-premises devices. They're more resilient to topology changes such as the creation of new subnets.

Active/active

In this configuration, you assign a unique public IP address to each instance. You then create separate tunnels from the on-premises device to each IP address.

ExpressRoute

Lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. You can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365. This improves the security of your on-premises communication by sending this traffic over the private circuit instead of over the public internet. You don't need to allow access to these services for your end users over the public internet, and you can send this traffic through appliances for further traffic inspection.

management groups

Manage access policies and compliance for the different subscriptions. * All subscriptions under the management group inherit the policies from the parent management group (hierarchically * Supports 6 levels of depth and 10,000 groups * Each management group and subscription can support only one parent

Your storage account name must be unique within Azure.

No two storage accounts can have the same name. This supports the ability to have a unique, accessible namespace in Azure.

Can be set at the account level

Only the hot and cool access tiers

Cool access tier

Optimized for data that is infrequently accessed and stored for at least 30 days (for example, invoices for your customers).

Hot access tier

Optimized for storing data that is accessed frequently (for example, images for your website)

Disk storage

Or Azure managed disks, are block-level storage volumes managed by Azure for use with Azure VMs. Conceptually, they're the same as a physical disk, but they're virtualized - offering greater resiliency and availability than a physical disk. With managed disks, all you have to do is provision the disk, and Azure will take care of the rest.

Azure App Service

Platform-as-a-service (PaaS) offering in Azure that is designed to host enterprise-grade web-oriented applications. You can meet rigorous performance, scalability, security, and compliance requirements while using a fully managed platform to perform infrastructure maintenance.

three mechanisms for you to achieve Virtual Network connectivtiy

Point-to-site virtual private network Site-to-site virtual private networks Azure ExpressRoute

Scripting and tooling

PowerShell cmdlets and Azure CLI can be used to create, mount, and manage Azure file shares as part of the administration of Azure applications. You can create and manage Azure file shares using Azure portal and Azure Storage Explorer.

Premium block blobs

Premium storage account type for block blobs and append blobs. Recommended for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency.

Premium file shares

Premium storage account type for file shares only. Recommended for enterprise or high-performance scale applications. Use this account type if you want a storage account that supports both Server Message Block (SMB) and NFS file shares.

Premium page blobs

Premium storage account type for page blobs only.

Azure AD business to customer (B2C)

Publish modern SaaS apps or custom-developed apps (excluding Microsoft apps) to consumers and customers, while using Azure AD B2C for identity and access management.

Geo-Redundant Storage (GRS)

Replicates your data synchronously three times within a single physical location in the primary region

Non-regional services

Services are always available from Azure geographies and are resilient to zone-wide outages as well as region-wide outages.

VM Resources

Size Storage disks Networking

three categories of MFA

Something the user knows Something the user has Something the user is

Standard general-purpose v2

Standard storage account type for blobs, file shares, queues, and tables. Recommended for most scenarios using Azure Storage. If you want support for network file system (NFS) in Azure Files, use the premium file shares account type.

Isn't available at the account level.

The archive access tier

Zone-redundant services

The platform replicates automatically across zones (for example, zone-redundant storage, SQL Database).

Zone-redundant gateways

This configuration brings resiliency, scalability, and higher availability to virtual network gateways. These gateways require different gateway stock keeping units (SKUs) and use Standard public IP addresses instead of Basic public IP addresses.

Azure DNS also supports private DNS domains

This feature allows you to use your own custom domain names in your private virtual networks, rather than being stuck with the Azure-provided names.

Billing boundary

This subscription type determines how an Azure account is billed for using Azure. You can create multiple subscriptions for different types of billing requirements. Azure generates separate billing reports and invoices for each subscription so that you can organize and manage costs.

Azure sovereign regions include:

US DoD Central, US Gov Virginia, US Gov Iowa and more; China East, China North, and more

Availability sets do this by grouping VMs in two ways

Update domain Fault domain

Microsoft Authenticator app

Users can sign-in to any platform or browser by getting a notification to their phone, matching a number displayed on the screen to the one on their phone, and then using their biometric (touch or face) or PIN to confirm.

Availability zones are primarily for

VMs, managed disks, load balancers, and SQL databases.

three passwordless

Windows Hello for Business Microsoft Authenticator app FIDO2 security keys

Windows Hello for Business

Windows Hello for Business is ideal for information workers that have their own designated Windows PC. The biometric and PIN credentials are directly tied to the user's PC, which prevents access from anyone other than the owner.

Application Management

You can manage your cloud and on-premises apps by using Azure AD. Features like Application Proxy, SaaS apps, the My Apps portal, and single sign-on provide a better user experience.

WebJobs

You can use the WebJobs feature to run a program (.exe, Java, PHP, Python, or Node.js) or script (.cmd, .bat, PowerShell, or Bash) in the same context as a web app, API app, or mobile app. They can be scheduled or run by a trigger. WebJobs are often used to run background tasks as part of your application logic.

Zonal services

You pin the resource to a specific zone (for example, VMs, managed disks, IP addresses).

Azure services that support availability zones fall into three categories

Zonal services Zone-redundant services Non-regional services

CONTAINERS

a type of virtualization that allows for shared operating systems for more resource savings and faster execution. are lightweight and designed to be created, scaled out, and stopped dynamically

User-defined routes (UDR)

allow you to control the routing tables between subnets within a virtual network or between virtual networks. This allows for greater control over network traffic flow.

Data in an Azure Storage account is

always replicated three times in the primary region.

FIDO2 security keys

are an unphishable standards-based passwordless authentication method that can come in any form factor. allows users and organizations to leverage the standard to sign-in to their resources without a username or password by using an external security key or a platform key built into a device. are typically USB devices, but could also use Bluetooth or NFC.

Availability sets

are designed to ensure that VMs stagger updates and have varied power and network connectivity, preventing you from losing all your VMs with a single network or power failure. a way for you to ensure your application remains online if a high-impact maintenance event is required, or a hardware failure occurs. Availability sets are made up of update domains and fault domains.

Datacenters

are grouped into Azure Regions or Azure Availability Zones that are designed to help you achieve resiliency and reliability for your business-critical workloads.

Sovereign regions

are instances of Azure that are isolated from the main instance of Azure.

Passwordless Authentication

are more convenient because the password is removed and replaced with something you have, plus something you are, or something you know.

Most Azure regions

are paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away.

Availability zones

are physically separate datacenters within an Azure region.

Resource groups

are simply groupings of resources When you create a resource, you're required to place it into a resource group. While a resource group can contain many resources, a single resource can only be in one resource group at a time.

A subscription provides you with

authenticated and authorized access to Azure products and services. It also allows you to provision resources. An Azure subscription links to an Azure account, which is an identity in Azure Active Directory (Azure AD) or in a directory that Azure AD trusts

Point-to-site virtual private network

connections are from a computer outside your organization back into your corporate network. In this case, the client computer initiates an encrypted VPN connection to connect to the Azure virtual network.

The data layer

controls access to business and customer data that you need to protect.

The identity and access layer

controls access to infrastructure and change control.

Azure virtual networks and virtual subnets

enable Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and with your on-premises client computers.

single sign-on (SSO)

enables you to remember only one username and one password to access multiple applications. A single identity is tied to a user, which simplifies the security model. As users change roles or leave an organization, access modifications are tied to that identity, which greatly reduces the effort needed to change or disable accounts.

Redundancy

ensures that your storage account meets its availability and durability targets even in the face of failures.

Private endpoints

exist within a virtual network and have a private IP address from within the address space of that virtual network.

Azure Migrate

functions as a hub to help you manage the assessment and migration of your on-premises datacenter to Azure.

Update domain

groups VMs that can be rebooted at the same time. This allows you to apply updates while knowing that only one update domain grouping will be offline at a time. All of the machines will be updated. is given a 30-minute time to recover before maintenance on the next update domain starts.

Public endpoints

have a public IP address and can be accessed from anywhere in the world.

The application layer

helps ensure that applications are secure and free of security vulnerabilities.

Defender for Cloud - Networks

helps you limit exposure to brute force attacks. By reducing access to virtual machine ports, using the just-in-time VM access, you can harden your network by preventing unnecessary access. You can set secure access policies on selected ports, for only authorized users, allowed source IP address ranges or IP addresses, and for a limited amount of time.

Defender for Cloud - Azure data services

includes capabilities that help you automatically classify your data in Azure SQL. You can also get assessments for potential vulnerabilities across Azure SQL and Storage services, and recommendations for how to mitigate them.

A VPN gateway

instances are deployed in a dedicated subnet of the virtual network and enable the following connectivity: Connect on-premises datacenters to virtual networks through a site-to-site connection. Connect individual devices to virtual networks through a point-to-site connection. Connect virtual networks to other virtual networks through a network-to-network connection.

AzCopy

is a command-line utility that you can use to copy blobs or files to or from your storage account. you can upload files, download files, copy files between storage accounts, and even synchronize files. It doesn't synchronize bi-directionally based on timestamps or other metadata.

region

is a geographical area on the planet that contains at least one, but potentially multiple datacenters that are nearby and networked together with a low-latency network.

An external identity

is a person, device, service, etc. that is outside your organization. refers to all the ways you can securely interact with users outside of your organization. external users can "bring their own identities."

Azure AD DS

is a service that provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication.

Azure Storage Explorer

is a standalone app that provides a graphical interface to manage files and blobs in your Azure Storage Account.

Conditional Access

is a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.

Azure File Sync

is a tool that lets you centralize your file shares in Azure Files and keep the flexibility, performance, and compatibility of a Windows file server. It's almost like turning your Windows file server into a miniature content delivery network. it will automatically stay bi-directionally synced with your files in Azure.

A resource

is the basic building block of Azure. Anything you create, provision, deploy, etc. is a resource. Virtual Machines (VMs), virtual networks, databases, cognitive services, etc. are all considered resources within Azure.

The physical security layer

is the first line of defense to protect computing hardware in the datacenter.

multifactor authentication

is the process of prompting a user for an extra form (or factor) of identification during the sign-in process. MFA helps protect against a password compromise in situations where the password was compromised but the second factor wasn't.

Virtual machine scale sets

let you create and manage a group of identical, load-balanced VMs. allow you to centrally manage, configure, and update a large number of VMs in minutes. automatically deploy a load balancer to make sure that your resources are being used efficiently.

The network layer

limits communication between resources through segmentation and access controls.

Site-to-site virtual private networks

link your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet.

A management group, subscription, or resource admin

might be given the role of owner, so they have increased control and authority.

Storage account names

must be between 3 and 24 characters in length and may contain numbers and lowercase letters only.

Azure Files

offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) or Network File System (NFS) protocols. can be mounted concurrently by cloud or on-premises deployments. SMB Azure file shares are accessible from Windows, Linux, and macOS clients. NFS Azure Files shares are accessible from Linux or macOS clients. can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used

Each availability zone is made up of

one or more datacenters equipped with independent power, cooling, and networking.

Azure ExpressRoute

provides a dedicated private connectivity to Azure that doesn't travel over the internet. ExpressRoute is useful for environments where you need greater bandwidth and even higher levels of security.

subscriptions

re a unit of management, billing, and scale. Similar to how resource groups are a way to logically organize resources, subscriptions allow you to logically organize your resource groups and facilitate billing.

Zone-redundant storage

replicates your Azure Storage data synchronously across three Azure availability zones in the primary region. ZRS offers durability for Azure Storage data objects of at least 12 nines (99.9999999999%) over a given year. your data is still accessible for both read and write operations even if a zone becomes unavailable.

Locally redundant storage

replicates your data three times within a single data center in the primary region. LRS provides at least 11 nines of durability (99.999999999%) of objects over a given year. LRS is the lowest-cost redundancy option and offers the least durability compared to other options.

Geo-redundant storage (with GRS or GZRS)

replicates your data to another physical location in the secondary region to protect against regional outages.

The compute layer

secures access to virtual machines.

FUNCTIONS

serverless computing option that doesn't require maintaining virtual machines or containers. is ideal when you're only concerned about the code running your service and not about the underlying platform or infrastructure. scale automatically based on demand, so they may be a good choice when demand is variable.

Queue storage

service for storing large numbers of messages. Once stored, you can access the messages from anywhere in the world via authenticated calls using HTTP or HTTPS. A can contain as many messages as your storage account has room for (potentially millions). Each individual message can be up to 64 KB in size. Queues are commonly used to create a backlog of work to process asynchronously.

Azure DNS uses anycast networking

so each DNS query is answered by the closest available DNS server to provide fast performance and high availability for your domain.

Policy-based VPN gateways

specify statically the IP address of packets that should be encrypted through each tunnel. This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through.

one-direction pairing

the Primary region does not provide backup for its secondary region.

If the IP address of the underlying resource changes

the alias record set seamlessly updates itself during DNS resolution. The alias record set points to the service instance, and the service instance is associated with an IP address.

stateless (the default) Functions

they behave as if they're restarted every time they respond to an event.

Azure Data Box

to move large amounts of offline data to Azure. helps transfer large amounts of data in a quick, inexpensive, and reliable way. \can be used to import data to Azure.

Mobile apps

to quickly build a back end for iOS and Android apps: Store mobile app data in a cloud-based SQL database. Authenticate customers against common social providers, such as MSA, Google, Twitter, and Facebook. Send push notifications. Execute custom back-end logic in C# or Node.js.

Most directions are paired in

two directions

A virtual private network (VPN)

uses an encrypted tunnel within another network. VPNs are typically deployed to connect two or more trusted private networks to one another over an untrusted network (typically the public internet). Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks. VPNs can enable networks to safely and securely share sensitive information.

The perimeter layer

uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.

Authentication

verifying identity to access applications and resources. includes providing functionality such as self-service password reset, multifactor authentication, a custom list of banned passwords, and smart lockout services.

An observer

who isn't expected to make any updates, might be given a role of Reader for the same scope, enabling them to review or observe the management group, subscription, or resource group.