type
status
date
slug
category
password
tags
Part 1: Tables
- IAAS, PAAS, SAAS Examples
Service Model | Description | Example Providers/Services |
IAAS | Infrastructure as a Service - provides virtualized computing resources over the internet. | Azure Virtual Machines, Amazon EC2, Google Compute Engine |
PAAS | Platform as a Service - provides a platform allowing customers to develop, run, and manage applications. | Azure App Service, Google App Engine, AWS Elastic Beanstalk |
SAAS | Software as a Service - delivers software applications over the internet, typically on a subscription basis. | Microsoft Office 365, Google Workspace, Salesforce |
Service | Example Use Case | Type | Description | Examples |
Cloud-Based File Server | Remote file storage and sharing | Infrastructure as a Service (IaaS) / Storage as a Service | Provides storage infrastructure, either as raw storage (IaaS) or as managed file sharing. | Azure Blob Storage, Amazon S3, Google Cloud Storage |
Cloud-Based Accounting System | Web-based accounting application | Software as a Service (SaaS) | Fully managed application for accounting tasks, accessible via a web browser. | QuickBooks Online, Xero, FreshBooks |
Cloud-Based Service for Custom Apps | Hosting custom applications | Platform as a Service (PaaS) | Provides a platform and tools for deploying, running, and managing custom applications. | Google App Engine, Azure App Service, AWS Elastic Beanstalk |
- Elasticity vs Scalability
Concept | Definition | Key Points |
Elasticity | The ability of a system to automatically adjust resources to meet changing demands dynamically. | Focuses on auto-adjusting resources up and down in real-time based on workload fluctuations. Common in cloud environments for cost efficiency. |
Scalability | The capability of a system to handle a growing workload by adding resources (scaling up) or expanding infrastructure (scaling out). | Involves increasing capacity to meet long-term growth, not necessarily adjusting down. Key for supporting growth in usage or data. |
- Power Automate, Logic Apps, Azure Automation, and Azure Functions with insights:
Service/Feature | Purpose | Key Use Cases | Key Points |
Power Automate | Automates workflows and tasks across apps and services. | Workflow automation for business users. | Low-code/no-code tool; integrates with Microsoft 365 and hundreds of connectors. |
Logic Apps | Automates workflows, primarily in Azure and for developers. | Enterprise-grade integration and workflows. | Cloud-native workflow automation; connects with Azure services and on-premise systems. |
Azure Automation | Automates repetitive tasks in cloud infrastructure management. | Runbooks for VM management, patching. | Ideal for IT operations; supports PowerShell and Python for infrastructure tasks. |
Azure Functions | Runs event-driven code without managing servers. | Serverless computing, microservices. | Serverless model; pay-per-use based on triggers like HTTP requests, timers, and queues. |
Azure WebJobs | Runs background jobs within Azure App Service. | Background processing, scheduled tasks. | Executes continuous or triggered tasks within App Service; ideal for scheduled scripts or processing background tasks in .NET, PowerShell, and Python. |
- Azure Files, Azure Blob Storage, Disk Storage, Queue Storage and Table Storage
Storage Type | Purpose & Description | Key Use Cases | Key Points |
Azure Files | Fully managed file shares in the cloud, accessible via SMB. | File sharing across multiple VMs and on-premises. | Supports SMB protocol; can be mounted as a network drive on Windows, Linux, and macOS. |
Azure Blob Storage | Object storage for unstructured data, optimized for massive scale. | Images, videos, backups, logs. | Best for large-scale unstructured data; hot, cool, and archive tiers for cost optimization. |
Azure Disk Storage | Managed disk storage for Azure VMs. | Persistent storage for VMs and databases. | Durable storage for VMs; Standard, Premium, and Ultra options for varying performance needs. |
Azure Queue Storage | Message queue storage to enable asynchronous processing. | Decoupling components in cloud apps. | Useful for distributed systems needing temporary storage of messages; pay-per-transaction pricing. |
Azure Table Storage | NoSQL storage for structured data. | Scalable key-value storage for applications. | Supports large-scale structured data storage; cost-effective but with limited query capabilities. |
- Azure Log Analytics, Azure Data Lake, Azure Event Grid, and Azure Event Hub.
Service | Primary Function | Typical Use Cases & Limitations | Key Points |
Azure Log Analytics | Centralized log collection and analysis. | Monitoring and troubleshooting by aggregating data from multiple resources. | Part of Azure Monitor; integrates with Azure Security Center and Sentinel; supports KQL for querying. |
Azure Data Lake | Large-scale unstructured data storage and analysis. | Best for big data analytics and batch processing; not real-time or event-focused. | Optimized for data lakes; integrates with Azure Synapse Analytics for big data processing. |
Azure Event Grid | Event routing across services for real-time scenarios. | Used in event-driven architectures; lacks data storage or correlation capabilities. | Ideal for event-based automation; works with Azure Functions and Logic Apps for automation; uses a pay-per-operation model. |
Azure Event Hub | High-throughput event ingestion and processing. | Suitable for real-time telemetry; does not provide data correlation or long-term storage. | Designed for stream processing and telemetry; integrates with Azure Stream Analytics and Apache Kafka. |
- Load Balancer, Availability Zones, Availability Sets, and Region Pairs
Feature/Concept | Purpose & Description | Key Use Cases | Key Points |
Load Balancer | Distributes traffic across multiple VMs or services for improved performance and reliability. | Application and traffic distribution. | Used in Availability Sets and Zones for load balancing; can be public (internet-facing) or internal. |
Availability Sets | Groups of VMs distributed across multiple fault and update domains within a datacenter. | Basic VM redundancy within a single datacenter. | Guarantees 99.95% SLA; uses Fault Domains to spread VMs across racks and Update Domains to handle updates separately. |
Availability Zones | Physically separate datacenters within an Azure region, providing protection against datacenter failures. | High availability for mission-critical apps. | Ensures 99.99% SLA for VMs in multiple zones; zones are independent in power, cooling, and networking. |
Region Pairs | Paired Azure regions for cross-region disaster recovery. | Geo-redundancy and data replication. | Each region has a paired region at a distance to minimize disruption; automatic failover in some services. |
Azure Traffic Manager | DNS-based traffic routing to direct users to globally distributed endpoints. | Global high availability for multi-region apps. | Routes traffic based on performance, priority, geographic location, or availability. |
Azure Site Recovery | Disaster recovery service that replicates workloads to another region. | Business continuity and disaster recovery. | Supports cross-region failover; works with Availability Zones and Sets for failover scenarios. |
- Point-to-Site VPN, Site-to-Site VPN, ExpressRoute, Azure Application Gateway, and VPN Gateway
Service/Feature | Purpose & Description | Key Use Cases | Key Points |
Point-to-Site (P2S) VPN | Establishes a secure connection from an individual client device to an Azure virtual network. | Remote access for individual users. | Ideal for individual connections to Azure; uses SSL or IKEv2 protocols; suitable for telecommuting. |
Site-to-Site (S2S) VPN | Connects an on-premises network to an Azure virtual network over IPsec/IKE VPN. | Corporate network extension to Azure. | For secure, persistent on-premises-to-Azure connections; requires VPN device; supports IPsec/IKE. |
ExpressRoute | Provides a private, dedicated connection from an on-premises network to Azure. | High-throughput, low-latency connections. | Does not use the public internet; offers more reliability, speed, and security than VPN connections. |
Azure Application Gateway | A Layer 7 load balancer for web traffic with built-in WAF (Web Application Firewall) capabilities. | Application-level routing and security. | Routes HTTP/HTTPS traffic, supports SSL termination; WAF protects from threats like SQL injection. |
VPN Gateway | A specific type of gateway for establishing VPNs to Azure virtual networks. | Supports both P2S and S2S VPNs. | Required for VPN connections to Azure VNet; can connect multiple on-premises sites to Azure. |
Azure Bastion | Provides secure and seamless RDP/SSH access to VMs without a public IP. | Secure access to VMs in Azure. | Useful for secure VM management within Azure; no VPN required, accessible via the Azure portal. |
Azure Firewall | Managed network security service for controlling traffic across Azure VNets. | Network-level traffic filtering. | Filters and monitors inbound, outbound, and spoke traffic; integrates with Application Gateway for added security. |
Network Security Group (NSG) | Controls inbound and outbound traffic for Azure VNets or subnets. | Basic traffic filtering at the network level. | Commonly used for VNet segmentation; includes IP address, port, and protocol-based filtering. |
- OneDrive, SharePoint, Azure Files, and Azure Blob Storage—four related storage solutions
Service | Purpose & Description | Key Use Cases | Key Points |
OneDrive | Personal cloud storage for individual users within Microsoft 365. | Personal file storage and sharing. | Ideal for individual users; integrated with Microsoft 365 apps for file sharing and collaboration. |
SharePoint | Collaboration platform with document management, storage, and sharing for teams. | Team sites and document management. | Suited for organizational collaboration; supports version control, co-authoring, and file sharing. |
Azure Files | Managed file share in the cloud, accessible via SMB protocol. | File SMB-based files sharing across multiple VMs and on-premise | Allows files to be mounted as network drives; integrates with on-premises environments. |
Azure Blob Storage | Object storage optimized for massive unstructured data, supporting scalability and tiered storage. | Big data, backup, archiving. | Best for large-scale unstructured data; provides hot, cool, and archive storage tiers. |
- Microsoft Defender for Cloud, Microsoft Defender for Endpoint, Microsoft Purview, Conditional Access, and other related security and compliance features:
Service/Feature | Purpose & Description | Key Use Cases | Key Points |
Microsoft Defender for Cloud | Cloud-native solution for securing Azure, hybrid, and multi-cloud resources. | Security posture management, threat protection | Identifies and mitigates risks in Azure, AWS, GCP; offers Secure Score for overall security assessment. |
Microsoft Defender for Endpoint | Endpoint security solution that provides threat protection for devices. | Endpoint detection, response (EDR) | Protects devices from cyber threats, integrates with Microsoft 365 Defender; ideal for zero-trust security. |
Microsoft Purview | Unified data governance service for discovering, protecting, and managing data. | Data governance, compliance | Helps meet compliance standards (e.g., GDPR); provides data mapping and risk assessment for sensitive data. |
Conditional Access | Policy-based security feature to control access to apps and resources based on conditions. | Access control, MFA enforcement | Enforces access policies based on conditions (e.g., location, device); key for implementing zero-trust. |
Microsoft Sentinel | Cloud-native SIEM (Security Information and Event Management) solution. | Security analytics, threat detection | Aggregates and analyzes data across environments for threat detection and incident response. |
Microsoft Intune | Cloud-based management of devices and applications. | Mobile Device Management (MDM), Mobile Application Management (MAM) | Manages devices remotely; enforces compliance policies for mobile devices and apps in Azure Active Directory. |
Azure AD Identity Protection | Detects and mitigates identity-based threats using AI and machine learning. | Identity threat detection | Protects against compromised accounts; integrates with Conditional Access for risk-based access control. |
Microsoft Defender for Office 365 | Protects Office 365 against phishing, malware, and other security threats. | Email security, anti-phishing | Protects email and collaboration tools in Office 365; provides safe attachments and safe links for email security. |
Azure Monitor | Comprehensive monitoring service for collecting, analyzing, and acting on telemetry data from Azure resources. | Resource health monitoring, alerting | Centralized monitoring with alerts, logs, and metrics; integrates with Log Analytics for analysis. |
Azure Monitor | Comprehensive monitoring service for collecting, analyzing, and acting on telemetry data from Azure resources. | Resource health monitoring, alerting | Centralized monitoring with alerts, logs, and metrics; integrates with Log Analytics for analysis. |
- Entra ID Conditional Access, Microsoft Authenticator, Windows Hello for Business, and Microsoft Purview
Service/Feature | Purpose & Description | Key Use Cases | Key Points |
Entra ID Conditional Access | Policy-based access control feature in Entra ID (formerly Azure AD) to enforce security policies. | Access control based on location, device, and risk. | Key for zero-trust access; enforces policies based on user/device context (e.g., location, risk level). |
Microsoft Authenticator | Mobile app providing multi-factor authentication (MFA) for added security. | MFA, passwordless login, single sign-on. | Generates OTP codes or notifications; supports passwordless sign-in; often used with Entra ID. |
Windows Hello for Business | Biometric and PIN-based authentication for Windows 10/11 devices, offering secure sign-in without passwords. | Passwordless authentication, biometric login. | Integrates with Entra ID; enhances security with biometrics or PIN, stored securely on devices. |
Microsoft Purview | Unified data governance, compliance, and risk management solution for managing and protecting sensitive data. | Data governance, compliance, risk assessment. | Helps organizations meet compliance (e.g., GDPR); provides data discovery, protection, and risk assessment. |
Microsoft Entra ID Multi-Factor Authentication (MFA) | Adds an extra layer of security by requiring multiple forms of verification during sign-in. | Enhanced authentication, reduced unauthorized access | Requires users to authenticate via password + another method (e.g., phone, app, SMS); commonly used to mitigate risks from compromised credentials. |
Microsoft Entra ID Identity Protection | Detects and responds to identity-based risks using machine learning and analytics. | Identity threat detection, automated risk mitigation | Identifies and mitigates risks by analyzing sign-in patterns and compromised accounts; can enforce responses like MFA challenges or password resets based on risk level. |
- Azure Policy, Microsoft Purview, Azure Blueprints, Azure Security Center, and Entra ID Conditional Access.
Service/Feature | Purpose & Description | Key Use Cases | Key Points |
Azure Policy | Enforces standards and evaluates compliance across Azure resources. | Compliance enforcement, resource configuration | Creates and enforces compliance policies for resources (e.g., allowed VM sizes, tagging policies); supports policy remediation. |
Microsoft Purview | Unified data governance, compliance, and risk management solution for managing sensitive data. | Data governance, compliance | Enables data discovery, protection, and risk assessment; critical for regulatory compliance (e.g., GDPR). |
Azure Blueprints | Deploys and maintains environments with pre-configured resources, policies, and role assignments. | Environment consistency, compliance | Useful for setting up standardized environments with compliance baked-in; combines ARM templates, RBAC, and policies. |
Azure Security Center | Unified security management for threat protection and security recommendations across Azure resources. | Threat detection, security posture | Provides security recommendations and threat protection for Azure environments; now part of Microsoft Defender for Cloud. |
Entra ID Conditional Access | Enforces access policies in Entra ID based on user and device conditions. | Access control, multi-factor authentication | Essential for zero-trust access; applies policies based on location, device, and user context. |
Azure Locks | Provides an extra layer of protection by preventing accidental deletion or modification of resources. | Resource protection, accidental deletion prevention | Two lock levels: Read-Only (prevents changes) and Delete (prevents deletion). Essential for protecting critical resources. |
ARM Templates | JSON-based templates for defining and automating deployment of Azure resources. | Infrastructure as Code (IaC), consistent deployments | Provides declarative syntax; manages complete environments through code; integrates with Azure DevOps and GitHub Actions. |
- Azure Advisor:
Service/Feature | Purpose & Description | Key Use Cases | Key Points |
Azure Pricing Calculator | Estimates costs of Azure services based on configuration and usage. | Cost estimation before deployment | Useful for pre-deployment cost planning; allows comparison of different configurations and services. |
Total Cost of Ownership (TCO) Calculator | Calculates potential savings from migrating on-premises infrastructure to Azure. | On-premises to cloud cost comparison | Estimates savings from cloud migration by considering factors like hardware, software, and maintenance costs. |
Azure Cost Management | Helps monitor and manage cloud spending across Azure (and multi-cloud environments). | Budget tracking, cost analysis | Provides insights into spending patterns, budget alerts, and cost forecasts to optimize cloud usage. |
Azure Advisor | Provides personalized best practice recommendations, including cost optimization suggestions. | Cost savings, resource optimization | Offers cost-saving recommendations and optimization tips for improving cost, security, performance, and reliability across resources. |
- Azure File Sync, AzCopy, Azure Data Box, and Azure Storage Explorer
Tool/Service | Purpose & Description | Key Use Cases | Key Points |
Azure File Sync | Synchronizes on-premises file servers with Azure Files, providing cloud-based backups and access. | File server backup, cloud tiering | Extends file server storage to Azure; supports cloud tiering to optimize local storage by storing infrequently accessed files in Azure. |
AzCopy | Command-line utility for transferring data to and from Azure storage. | Fast data transfers to/from Azure Blob Storage, Files, and other storage services | Ideal for large data migrations; supports multi-threaded transfers for efficient data copy operations. |
Azure Data Box | Physical device for transferring large volumes of data to Azure when network transfer isn’t feasible. | Offline data migration, bulk data transfer | Useful for petabyte-scale data migrations; offers Data Box, Data Box Disk, and Data Box Heavy for varying data volumes. |
Azure Storage Explorer | Graphical user interface for managing Azure Storage resources, including blobs, files, and queues. | Storage management, data upload/download | Provides a user-friendly interface for accessing and managing Azure Storage; supports Blob Storage, File Shares, Tables, and Queues. |
Part 2: Exam Preparation
- Azure Event Hubs is used to colledct events rom multiple resources into a centralized repository.
- A gateway subnet and a vritual network gateway, connecting on-premises network to Azure virtual network
- The Azure Hybrid Benefit allows you to use your existing on-premises licenses (covered under a Software Assurance agreement) for SQL Server in Azure.
- Azure Service Health can notify you when Microsoft plans to perform maintenance that can affect the resources deployed to an Azure subscription.
- Move App with legacy database to the cloud is IaaS.
- Azure Advisor provides recommendations to help align your company’s cloud usage with industry standard best practice.
- Azure Advisor can be used to identify unused Azure VMs.
- Log Analytics workspace is used to store event data and performance data in Azure Monitor.
- Azure policy can prevent the creation of VMs in RG1.
- Service Endpoint prevent traffic from an Azure VNet being routed to an Azure Storage account via the internet.
- Azure inbound traffic is free, outbound charges per region or service tier. Data type doesn’t matter.
- Microsoft Defender evaluate whether the Azure environment meets regulatory requirement.
- An Azure resource can only have one Delete Lock, at the same time, it can has a Read-only Lock also.
- Lock can be inherited from resource group.
- Domain: A network boundary for organizing users, computers, and resources, typically managed by a directory service like Active Directory.
- Azure AD no need implementation of domain controllers on Azure VMs.
- Subscription: A billing and resource management boundary in Azure for organizing and provisioning cloud resources
- Each user account in Azure Active Directory (Azure AD) can be assigned with multiple licenses.
- Archive access tier data must be rehydrated before the data can be accessed.
- Apply an Azure Policy to RG, all resources continue to function normally though some may tagged with non-compliant with policy.
- An Azure Policy initiative is indeed a collection of policy definitions grouped together to achieve a specific goal or set of compliance requirements.
- The Azure Total Cost of Ownership (TCO) Calculator can help calculate cost savings, including those from reduced electricity consumption, as a result of migrating on-premises infrastructure, like Microsoft SQL servers, to Azure.
- The Database Migration Assistant (DMA) is a tool provided by Microsoft to assist in the assessment and migration of on-premises databases (such as Microsoft SQL Server) to Azure.
- The My Library feature in the Microsoft documentation site is designed to allow users to save technical documents and learning resources from the Microsoft Docs platform. However, it does not support saving resources from external sites like the Service Trust Portal.
- Each Azure Virtual Machine (VM) can belong to only one resource group at a time.
- No sub group under resource group
- Azure Reservations do not reserve capacity in a specific physical data center.
- Azure SQL Database is a managed service that continues to bill for storage and reserved capacity, even when it’s not actively in use. You cannot stop an Azure SQL Database instance to reduce costs in the same way you can stop an Azure Virtual Machine.
- If an Azure Virtual Machine (VM) has a status of Stopped (Deallocated), you will continue to pay for
storagecosts associated with the VM, but you will not incur charges for the VM’s compute resources
- An Azure Virtual Network (VNet) must have a unique address space within the same Azure region and subscription.
- Trust Center is not part of Microsoft Defender for Cloud, and can be accessed by anyone.
- QuickBooks, A cloud-based accounting system is typically a Software as a Service (SaaS); A cloud-based service for custom apps is generally a Platform as a Service (PaaS), Examples include Azure App Service, Google App Engine, or AWS Elastic Beanstalk.
- The cool tier is designed specifically for blob storage in standard storage accounts, not for file shares or premium storage accounts.
- The Archive access tier is applied at the blob level, not the storage account level. At the storage account level, you can only set the default access tier to Hot or Cool for new blobs.
- Azure roles are predefined sets of permissions that control access to Azure resources. One user account can be assigned with multiple Azure roles.
- A DNS on Azure VM is IaaS; Azure Files provides a managed file storage solution, which classifies it as a PaaS.
- Microsoft Intune is SaaS, a cloud-based service within Microsoft Endpoint Manager used for mobile device management (MDM) and mobile application management (MAM).
- Tags are not inherited from resource group, mirco manage
- IAM in Azure Portal assign roles for resource group
- Deleting a resource group will delete all teh resources in the group.
- Azure Active Directory (Azure AD) does not support Group Policies in the same way as on-premises Active Directory (AD) does
- Android devices cannot be directly joined to Azure AD in the same way that Windows devices can. However, you can register and manage Android devices in Azure AD using Microsoft Intune, which is part of Microsoft Endpoint Manager
- Azure Spot VM instance provide access to unsued Azure compute capacity at deep discounts.
- You cannot merge Azure subscriptions directly. Each subscription in Azure is an isolated billing and management unit, and they cannot be combined or merged into a single subscription
- Azure Advisor does not generate a list of Azure VMs that are protected by Azure Backup.
- ExpressRoute uses BGP, you can config multiple ExpressRoute circuits to connect an on-premises datacenter to Azure.
- Serverless computing is an example of a consumption-based plan. In serverless computing, you are billed based on the actual resources consumed, such as the number of executions, memory used, and execution time, rather than paying for reserved infrastructure
- Premium storage accounts can be configured as Azure file share; can be blobs storage, but not StorageV2 storage.
- Azure Advisor can provide recommendations across multiple Azure subscriptions
- An Azure subscription has only one designated Account Administrator but can have multiple users with administrative roles through RBAC.
- An Azure subscription can only be associated with one Azure Active Directory (Azure AD) tenant at a time.
- Azure Service Health can create an alert rule to notify you if there is a service issue or outage affecting your resources.
- In a Platform as a Service (PaaS) model like Azure Web Apps, the responsibility for updating the application code typically falls on the customer (application developers or DevOps teams), not on Microsoft.
- Your storage account name must be unique within Azure. No two storage accounts can have the same name.
- Availablity sets can group VMs into an update domain or a fault domain.
- Author:wenyang
- URL:https://www.wenyang.xyz/article/azure
- Copyright:All articles in this blog, except for special statements, adopt BY-NC-SA agreement. Please indicate the source!