I was speaking to one of my colleagues who didn't have much understanding of what the cloud was, so I explained it from two perspectives, one being from a consumer perspective and the other commercial. From a consumer perspective, the cloud is mostly based on software as a service (SaaS) where individuals store their files on OneDrive, Google Drive, Dropbox, etc., or consume content not residing on a computer in their house like with Netflix or Spotify. So, from a consumer perspective, the cloud is mostly about the consumption of products that historically required individuals to have compute power and local storage space of their own.
From a commercial perspective, the cloud takes on a whole other meaning, whereby a commercial user of the cloud consumes compute resources for the purpose of providing cloud services to the consumer. Providing these services to consumers requires great compute capacity, because customers have become intolerant and impatient when it comes to receiving cloud services. A small outage, an unexpected pause in a movie, or a latent download of a file can lose customers and sometimes make the news. Having extra or idle compute capacity to scale instantly has become a necessity for companies, but buying and managing this capacity is not cost efficient.
I like to think that the birth of the cloud happened because of the Black Friday event that happens in the United States. Black Friday takes place the day after Thanksgiving and is one of the largest, busiest shopping days of the year. Amazon, wanting to make sure it could withstand the surge of traffic it would receive on this day and through the weekend, added a massive amount of compute power specifically for this day. Once the weekend passed, they had to answer the question, now what shall we do with all these extra computers? Having an entrepreneurial mindset, someone likely thought about how to make some money from the servers and the idea of renting them out to companies popped up. And this was the birth of infrastructure as a service (IaaS) from Amazon Web Services (AWS) and what we call the cloud today.
The cloud, from a commercial perspective, is simply a place for companies or individuals to rent computers hosted in a cloud provider's private data center. Cloud providers such as Microsoft, Amazon, and to some extent Google are in the market to provide a cloud platform for companies that want to, in turn, provide a great performant product experience to their customers. From all of this, we have arrived at the next era of IT and computing, which is the cloud.
In 2013, I wrote a book titled Windows Azure and ASP.NET MVC Migration. In the introduction of that book, I mentioned the retirement of Windows Server 2003. My primary point in that introduction was to avoid moving an application that originally targeted Windows Server 2003 directly to the cloud. Instead, take the opportunity for a reboot, a refreshing rewrite, and a new start for the application. From a coding perspective, I recommended using some new technologies such as REST, LINQ, and ORM; change from XML to JSON; and use a cross-platform coding language like .NET Core. From an operating system and compute resource perspective, I, as one would expect, drove the reader toward the Microsoft Azure and Azure App Service compute products.
At that time, in 2013, I drove the recognition of the emergence of the cloud and how significant this new platform would become. I predicted this because I knew, firsthand, the complexities, time, and effort involved in adding new compute capacities to an existing on-premise IT solution, needless to mention the cost. I saw that it was now possible, in the cloud, to add 1, 10, 20, or 200 new servers to a web farm with a simple click of a button. And a most impressive part is that when I no longer wanted them, I pressed a different button and removed them. I literally just got goose bumps while I wrote this paragraph, by simply remembering my first experience with this autoscaling capability.
The years have passed, and there has been no slowing of cloud progress with the delivery of more capabilities that make the life of an IT professional simpler and the costs of a software product more manageable. That comment doesn't imply, or even hint, that understanding the cloud product and features is by any means simple—not even close. But there should be no doubt that the arrival of the cloud has provided a platform to deliver products to customers who have a new, much more elevated set of expectations. This book will help improve your understanding of the Microsoft Azure platform and features, with an emphasis on the successful completion of your Azure Solutions Architect Expert (AZ-303 and AZ-304) exams.
This book is for anyone who wants to learn about Microsoft Azure products and features and ultimately attain the Azure Solutions Architect Expert certification. This book is not intended for absolute beginners; however, beginners may gain some greater insights into Azure and how to consume and configure its products and services. Gaining the Azure Solutions Architect Expert certification means that you can comprehend, design, and implement technical solutions using the following:
That is a broad range of topics, and the number of possible scenarios in which to apply them is equally as great. This book will provide insights into each of those topics, but it is expected that you have some experience with each.
This book covers everything you need to know to greatly increase the probability of passing the Azure Solutions Architect Expert exam. But most important, the contents in this book, once you learn them, will result in you being an Azure cloud architect. Which is most important to you? Both for sure, which is the goal and purpose of this book. You will learn about Azure security, Azure networking, Azure compute, Azure data stores and storage, Azure messaging services, Azure migration tools, Azure monitoring tools, and Azure recovery tools. That is a lot to learn about, and in addition to learning about what those products are and do, you will work through some real examples to implement and use them.
Good design really is everything. Unless you plan before doing, it is highly probable that the result won't quite measure up to the expectations. Really, in many instances, even with good planning, the result could still not measure up or even be successful. There are many priorities and areas to be concerned with when planning a big project. The same is true when you are migrating existing on-premise workloads to Azure or creating new applications and infrastructure directly on Azure. In both scenarios, security, networking, compute, and data storage all come into focus. The chapters are provided in the order of priority, which means when you plan your migration or deployments, make sure each of those phases is part of your plan. The order in which those IT components are analyzed, designed, and implemented is important and is the reason the book is constructed in this way.
Security is by far the most important point of concentration. Networking must exist before you place your compute workloads into it, and keep in mind the network needs to be secured before placing your workloads into it. Then your data, compliance and governance, messaging concepts, development concepts, and deploying your application initially and applying updates cannot be ignored or missed. Once deployed, the lifecycle of your application is really just beginning; monitoring it and having a failover and disaster recovery plan designed and tested are musts for production IT solutions.
Following this design pattern laid out by the chapter flow will help you become a great Azure Solutions Architect Expert. Note that when you take the Azure Solutions Architect Expert exam, you sign a nondisclosure agreement (NDA) stating that you will not discuss the questions or any of the content of the exam. That is important, so the credential you gain when passing the exam maintains its integrity and value. This book will help you learn the skills and gain the experience an Azure Solutions Architect Expert should have. By learning and exercising the techniques contained within this book, your probability of passing the exam is greatly increased. The point is, the book is geared toward building your experiences and skills on the Azure platform; with those skills and experiences, you can then master the skillset and gain the certification.
The following items are necessary to realize all the benefits of this book and to complete the numerous exercises:
Many of the exercises require you to consume Azure resources that have an associated financial cost. Make sure in all cases that you understand the costs you may incur when creating and consuming Azure products. Most of all, once you complete an exercise that required the creation of an Azure product, you'll want to remove it. However, in many cases throughout the book, you rely on the Azure products created in the previous exercises to complete the current one. Those scenarios are called out as much as possible.
To get the most out of this book, certain conventions have been utilized throughout. Exercise I.1 shows an exercise.
Here are the formatting text styles used throughout the book:
string csharpGuitar = String.Empty;
.portal.azure.com
.Get-AzVM
.You can find the source code for this book on GitHub here:
Table I.1 shows where in the book the AZ-303 objectives are covered.
TABLE I.1 AZ-303 Objectives to Chapter Mapping
Exam Objective | Chapter |
---|---|
Implement and Monitor an Azure Infrastructure | |
Implement cloud infrastructure monitoring | Chapter 9, “Monitor and Recover” |
monitor security |
Chapter 2, “Security and Identity” |
monitor performance |
Chapter 9, “Monitor and Recover” |
monitor health and availability |
Chapter 9, “Monitor and Recover” |
monitor cost |
Chapter 9, “Monitor and Recover” |
configure advanced logging |
Chapter 9, “Monitor and Recover” |
configure logging for workloads |
Chapter 9, “Monitor and Recover” |
initiate automated responses by using Action Groups |
Chapter 9, “Monitor and Recover” |
configure and manage advanced alerts |
Chapter 9, “Monitor and Recover” |
Implement storage accounts | Chapter 5, “Data and Storage” |
select storage account options based on a use case |
Chapter 5, “Data and Storage” |
configure Azure Files and blob storage |
Chapter 5, “Data and Storage” |
configure network access to the storage account |
Chapter 3, “Networking” |
implement Shared Access Signatures and access policies |
Chapter 5, “Data and Storage” |
implement Azure AD authentication for storage |
Chapter 5, “Data and Storage” |
manage access keys |
Chapter 5, “Data and Storage” |
implement Azure storage replication |
Chapter 5, “Data and Storage” |
implement Azure storage account failover |
Chapter 9, “Monitor and Recover” |
Implement VMs for Windows and Linux | Chapter 4, “Compute” |
configure High Availability |
Chapter 4, “Compute” |
configure storage for VMs |
Chapter 4, “Compute” |
select virtual machine size |
Chapter 4, “Compute” |
implement Azure Dedicated Hosts |
Chapter 4, “Compute” |
deploy and configure scale sets |
Chapter 4, “Compute” |
configure Azure Disk Encryption |
Chapter 4, “Compute” |
Automate deployment and configuration of resources | Chapter 8, “Migrate and Deploy” |
save a deployment as an Azure Resource Manager template |
Chapter 8, “Migrate and Deploy” |
modify Azure Resource Manager template |
Chapter 8, “Migrate and Deploy” |
evaluate location of new resources |
Chapter 6, “Hybrid, Compliance, and Messaging” |
configure a virtual disk template |
Chapter 8, “Migrate and Deploy” |
deploy from a template |
Chapter 8, “Migrate and Deploy” |
manage a template library |
Chapter 8, “Migrate and Deploy” |
create and execute an automation runbook |
Chapter 8, “Migrate and Deploy” |
Implement virtual networking | Chapter 3, “Networking” |
implement VNet to VNet connections |
Chapter 3, “Networking” |
implement VNet peering |
Chapter 3, “Networking” |
Implement Azure Active Directory | Chapter 2, “Security and Identity” |
add custom domains |
Chapter 2, “Security and Identity” |
configure Azure AD Identity Protection |
Chapter 2, “Security and Identity” |
implement self-service password reset |
Chapter 2, “Security and Identity” |
implement Conditional Access including MFA |
Chapter 2, “Security and Identity” |
configure user accounts for MFA |
Chapter 2, “Security and Identity” |
configure fraud alerts |
Chapter 2, “Security and Identity” |
configure bypass options |
Chapter 2, “Security and Identity” |
configure Trusted IPs |
Chapter 4, “Compute” |
configure verification methods |
Chapter 2, “Security and Identity” |
implement and manage guest accounts |
Chapter 2, “Security and Identity” |
manage multiple directories |
Chapter 2, “Security and Identity” |
Implement and manage hybrid identities | Chapter 2, “Security and Identity” |
install and configure Azure AD Connect |
Chapter 2, “Security and Identity” |
identity synchronization options |
Chapter 2, “Security and Identity” |
configure and manage password sync and password writeback |
Chapter 2, “Security and Identity” |
configure single sign-on |
Chapter 2, “Security and Identity” |
use Azure AD Connect Health |
Chapter 2, “Security and Identity” |
Implement Management and Security Solutions | |
Manage workloads in Azure | Chapter 4, “Compute” |
migrate workloads using Azure Migrate |
Chapter 8, “Migrate and Deploy” |
implement Azure Backup for VMs |
Chapter 9, “Monitor and Recover” |
implement disaster recovery |
Chapter 9, “Monitor and Recover” |
implement Azure Update Management |
Chapter 4, “Compute” |
Implement load balancing and network security | Chapter 3, “Networking” |
implement Azure Load Balancer |
Chapter 3, “Networking” |
implement an application gateway |
Chapter 3, “Networking” |
implement a Web Application Firewall |
Chapter 3, “Networking” |
implement Azure Firewall |
Chapter 3, “Networking” |
implement the Azure Front Door Service |
Chapter 3, “Networking” |
implement Azure Traffic Manager |
Chapter 3, “Networking” |
implement Network Security Groups and Application Security Groups |
Chapter 3, “Networking” |
implement Bastion |
Chapter 4, “Compute” |
Implement and manage Azure governance solutions | Chapter 6, “Hybrid, Compliance, and Messaging” |
create and manage hierarchical structure that contains management groups, subscriptions and resource groups |
Chapter 2, “Security and Identity” |
assign RBAC roles |
Chapter 2, “Security and Identity” |
create a custom RBAC role |
Chapter 2, “Security and Identity” |
configure access to Azure resources by assigning roles |
Chapter 2, “Security and Identity” |
configure management access to Azure |
Chapter 2, “Security and Identity” |
interpret effective permissions |
Chapter 6, “Hybrid, Compliance, and Messaging” |
set up and perform an access review |
Chapter 6, “Hybrid, Compliance, and Messaging” |
implement and configure an Azure Policy |
Chapter 6, “Hybrid, Compliance, and Messaging” |
implement and configure an Azure Blueprint |
Chapter 6, “Hybrid, Compliance, and Messaging” |
Manage security for applications | Chapter 2, “Security and Identity” |
implement and configure KeyVault |
Chapter 2, “Security and Identity” |
implement and configure Azure AD Managed Identities |
Chapter 2, “Security and Identity” |
register and manage applications in Azure AD |
Chapter 2, “Security and Identity” |
Implement Solutions for Apps | |
Implement an application infrastructure | Chapter 4, “Compute” |
create and configure Azure App Service |
Chapter 4, “Compute” |
create an App Service Web App for Containers |
Chapter 4, “Compute” |
create and configure an App Service plan |
Chapter 4, “Compute” |
configure an App Service |
Chapter 4, “Compute” |
configure networking for an App Service |
Chapter 4, “Compute” |
create and manage deployment slots |
Chapter 4, “Compute” |
implement Logic Apps |
Chapter 4, “Compute” |
implement Azure Functions |
Chapter 4, “Compute” |
Implement container-based applications | Chapter 4, “Compute” |
create a container image |
Chapter 4, “Compute” |
configure Azure Kubernetes Service |
Chapter 4, “Compute” |
publish and automate image deployment to the Azure Container Registry |
Chapter 4, “Compute” |
publish a solution on an Azure Container Instance |
Chapter 4, “Compute” |
Implement and Manage Data Platforms | Chapter 5, “Data and Storage” |
Implement NoSQL databases | Chapter 5, “Data and Storage” |
configure storage account tables |
Chapter 5, “Data and Storage” |
select appropriate CosmosDB APIs |
Chapter 5, “Data and Storage” |
set up replicas in CosmosDB |
Chapter 5, “Data and Storage” |
Implement Azure SQL databases | Chapter 5, “Data and Storage” |
configure Azure SQL database settings |
Chapter 5, “Data and Storage” |
implement Azure SQL Database managed instances |
Chapter 5, “Data and Storage” |
configure HA for an Azure SQL database |
Chapter 5, “Data and Storage” |
publish an Azure SQL database |
Chapter 5, “Data and Storage” |
Table I.2 shows where in the book the AZ-304 objectives are covered.
TABLE I.2 AZ-304 Objective to Chapter mapping
Exam Objective | Chapter |
---|---|
Design Monitoring | |
Design for cost optimization | Chapter 9, “Monitor and Recovery” |
recommend a solution for cost management and cost reporting |
Chapter 9, “Monitor and Recovery” |
recommend solutions to minimize costs |
Chapter 9, “Monitor and Recovery” |
Design a solution for logging and monitoring | Chapter 9, “Monitor and Recovery” |
determine levels and storage locations for logs |
Chapter 9, “Monitor and Recovery” |
plan for integration with monitoring tools including Azure Monitor and Azure Sentinel |
Chapter 9, “Monitor and Recovery” |
recommend appropriate monitoring tool(s) for a solution |
Chapter 9, “Monitor and Recovery” |
choose a mechanism for event routing and escalation |
Chapter 9, “Monitor and Recovery” |
recommend a logging solution for compliance requirements |
Chapter 6, “Hybrid, Compliance, and Messaging” |
Design Identity and Security | |
Design authentication | Chapter 2, “Security and Identity” |
recommend a solution for single-sign on |
Chapter 2, “Security and Identity” |
recommend a solution for authentication |
Chapter 2, “Security and Identity” |
recommend a solution for Conditional Access, including multi-factor authentication |
Chapter 2, “Security and Identity” |
recommend a solution for network access authentication |
Chapter 2, “Security and Identity” |
recommend a solution for a hybrid identity including Azure AD Connect and Azure AD Connect Health |
Chapter 2, “Security and Identity” |
recommend a solution for user self-service |
Chapter 2, “Security and Identity” |
recommend and implement a solution for B2B integration |
Chapter 2, “Security and Identity” |
Design authorization | Chapter 2, “Security and Identity” |
choose an authorization approach |
Chapter 2, “Security and Identity” |
recommend a hierarchical structure that includes management groups, subscriptions and resource groups |
Chapter 2, “Security and Identity” |
recommend an access management solution including RBAC policies, access reviews, role assignments, physical access, Privileged Identity Management (PIM), Azure AD Identity Protection, Just In Time (JIT) access |
Chapter 2, “Security and Identity” |
Design governance | Chapter 6, “Hybrid, Compliance, and Messaging” |
recommend a strategy for tagging |
Chapter 6, “Hybrid, Compliance, and Messaging” |
recommend a solution for using Azure Policy |
Chapter 6, “Hybrid, Compliance, and Messaging” |
recommend a solution for using Azure Blueprint |
Chapter 6, “Hybrid, Compliance, and Messaging” |
Design security for applications | Chapter 2, “Security and Identity” |
recommend a solution that includes KeyVault |
Chapter 2, “Security and Identity” |
recommend a solution that includes Azure AD Managed Identities |
Chapter 2, “Security and Identity” |
recommend a solution for integrating applications into Azure AD |
Chapter 2, “Security and Identity” |
Design Data Storage | |
Design a solution for databases | Chapter 5, “Data and Storage” |
select an appropriate data platform based on requirements |
Chapter 5, “Data and Storage” |
recommend database service tier sizing |
Chapter 5, “Data and Storage” |
recommend a solution for database scalability |
Chapter 5, “Data and Storage” |
recommend a solution for encrypting data at rest, data in transmission, and data in use |
Chapter 2, “Security” |
Design data integration | Chapter 5, “Data and Storage” |
recommend a data flow to meet business requirements |
Chapter 5, “Data and Storage” |
recommend a solution for data integration, including Azure Data Factory, Azure Data Bricks, Azure Data Lake, Azure Synapse Analytics |
Chapter 5, “Data and Storage” |
Select an appropriate storage account | Chapter 5, “Data and Storage” |
choose between storage tiers |
Chapter 5, “Data and Storage” |
recommend a storage access solution |
Chapter 5, “Data and Storage” |
recommend storage management tools |
Chapter 5, “Data and Storage” |
Design Business Continuity | |
Design a solution for backup and recovery | Chapter 9, “Monitor and Recovery” |
recommend a recovery solution for Azure hybrid and on-premises workloads that meets recovery objectives (RTO, RLO, RPO) |
Chapter 9, “Monitor and Recovery” |
design and Azure Site Recovery solution |
Chapter 9, “Monitor and Recovery” |
recommend a solution for recovery in different regions |
Chapter 9, “Monitor and Recovery” |
recommend a solution for Azure Backup management |
Chapter 9, “Monitor and Recovery” |
design a solution for data archiving and retention |
Chapter 9, “Monitor and Recovery” |
Design for high availability | Chapter 9, “Monitor and Recovery” |
recommend a solution for application and workload redundancy, including compute, database, and storage |
Chapter 9, “Monitor and Recovery” |
recommend a solution for autoscaling |
Chapter 4, “Compute” |
identify resources that require high availability |
Chapter 4, “Compute” |
identify storage types for high availability |
Chapter 5, “Data and Storage” |
recommend a solution for geo-redundancy of workloads |
Chapter 4, “Compute” |
Design Infrastructure | |
Design a compute solution | Chapter 4, “Compute” |
recommend a solution for compute provisioning |
Chapter 4, “Compute” |
determine appropriate compute technologies, including virtual machines, App Services, Service Fabric, Azure Functions, Windows Virtual Desktop, and containers |
Chapter 4, “Compute” |
recommend a solution for containers |
Chapter 4, “Compute” |
recommend a solution for automating compute management |
Chapter 4, “Compute” |
Design a network solution | Chapter 3, “Networking” |
recommend a solution for network addressing and name resolution |
Chapter 3, “Networking” |
recommend a solution for network provisioning |
Chapter 3, “Networking” |
recommend a solution for network security |
Chapter 3, “Networking” |
recommend a solution for network connectivity to the Internet, on-premises networks, and other Azure virtual networks |
Chapter 3, “Networking” |
recommend a solution for automating network management |
Chapter 3, “Networking” |
recommend a solution for load balancing and traffic routing |
Chapter 3, “Networking” |
Design an application architecture | Chapter 4, “Compute” |
recommend a microservices architecture including Event Grid, Event Hubs, Service Bus, Storage Queues, Logic Apps, Azure Functions, and webhooks |
Chapter 6, “Hybrid, Compliance, and Messaging” |
recommend an orchestration solution for deployment of applications including ARM templates, Logic Apps, or Azure Functions |
Chapter 8, “Migrate and Deploy” |
recommend a solution for API integration |
Chapter 7, “Developing for the Cloud” |
Design migrations | Chapter 8, “Migrate and Deploy” |
assess and interpret on-premises servers, data, and applications for migration |
Chapter 8, “Migrate and Deploy” |
recommend a solution for migrating applications and VMs |
Chapter 8, “Migrate and Deploy” |
recommend a solution for migration of databases |
Chapter 8, “Migrate and Deploy” |
18.116.36.192