Microsoft Azure Architect Technologies – Exam AZ-300
March 29th, 2019
This course is designed to help you master the requisite skills required for the Microsoft Azure AZ-300 certification exam.
The AZ-300 exam is an expert level exam which tests candidates for advanced knowledge and experience working with various aspects of Microsoft Azure.
Throughout this course you will progressively build and expand upon both your knowledge, and hands-on experience working with Azure technologies including, but not limited to: infrastructure and operations, advanced and automated infrastructure, identity and security, hybrid cloud, and developing apps and services for the cloud.
Find the Interactive Diagram for this course - The Blushift Guide - here: https://interactive.linuxacademy.com/diagrams/TheBlueShiftGuide.html
Welcome to the Course
This course will help you on your journey to becoming an Azure Solution Architect. Through a range of video lessons, hands-on labs, and other content, you will learn all the knowledge and skills required for the Microsoft AZ-300 exam. The AZ-300 exam tests both technical knowledge, and familiarity with the Azure management tools and services. This course is structured to help wiith both. Starting with a recap of Azure fundamentals, we will progressively build knowledge, skills, and intamacy with a range of Azure technologies. Important Note Whilst this course is structured to cater to different skill levels, AZ-300 is an expert level exam. As such it is expected that you will already be familiar with Azure concepts, technologies, and tools. Helpful Support Reach out to me directly with any questions or concerns; my passion is to help you be successful with AzureJoin the Linux Academy Community Slack here and check out the #azure and #az-300 channelsThe Linux Academy Community provides you with access to like-minded students and staff who can help you learn!
About the Training Architect
G'day (as we say in Australia)! It's great to be with you. My name is James Lee, and I'll be your training architect for this course. I'm really excited to be helping you on your training journey. I'd love to hear from you, so please do feel welcome to reach out to me in community or Twitter @jamesdplee.
Using the Blueshift Guide
The Blueshift Guide is used throughout the AZ-300 course to help illustrate important concepts. You can use this interactive diagram whilst following along with lessons, and as as a study guide by itself. Link The Blueshift Guide
Getting Started with Azure
Building the Basics
Azure Overview - Part 1
In this lesson we will discuss some of the core anatomy of Azure. In Part 1 our focus wil be on the subscription and services layer, and includes a refresher on subscriptions, resource groups, and the relationship with Azure AD Tenants.
Azure Overview - Part 2
In this lesson, we will take a look at the physical layer of Azure. This high-level overview provides a refresher on the composition of Azure in terms of geography and networking.
Getting Started with Virtual Networks
Starting off with a high-level refresher on Virtual Networks (VNet), this "getting started" lesson walks through the creation of our first VNet, which we will continue to use throughout the course.
Getting Started with Storage Accounts
In this lesson we will get an overview of Azure Storage Accounts. We have two main goals for this lesson: Provide a refresher on Storage AccountsCreate a Storage Account we can use throughout the course
Getting Started with Virtual Machines
In this lesson we will get started with Virtual Machines. There are two main items we will focus on: A very high-level recap of Virtual MachinesCreating our first Virtual Machine to use throughout this course
Infrastructure and Operations
Subnets are an important part of virtual networking, as these are where most of the action occurs. In this lesson, we will take a look at subnet configuration, including the application of security and routing. Note: As this is the first lesson which uses the Cloud Shell, if you are following along in your own subscription you may need to configure your Cloud Shell storage for first time use. Commands used in this lesson: List existing vnets: az network vnet list --output tableCreate subnet: az network vnet subnet create -g vnet1rg --vnet-name vnet1 -n subnet2 --address-prefix 10.1.2.0/24 For more details on az commands, see: https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest
A Network Interface (also referred to as a NIC) is an independent resource within Azure. It is through a NIC that we are able to provide connectivity to resources on the Virtual Network (VNet). In this lesson we will discuss and configure a NIC, including the important sub-configuration item: IP Configuration. Commands used in this lesson: Create a NIC: az network nic create -g vnet1rg --vnet-name vnet1 --subnet subnet1 -n nic1
Public and Private IPs
In this lesson we take a look at the two types of IP addresses: public and private. Within Azure, a public IP address is an independent resource which can be assigned to other network services, providing public accessibility. Private IP addresses, on the other hand, are typically sub-configuration items of various services themselves. Commands used in this lesson: Get NIC info: $nic1 = Get-AzureRmNetworkInterface -ResourceGroupName vnet1rg -Name nic1Get public IP info: $pubip = Get-AzureRmPublicIpAddress -ResourceGroupName lab01rg -name pubip01Get NIC IP Config: $nic1.ipconfigurations, $nic1.ipconfigurationsGet public IP of NIC IP configuration 0: $nic1.ipconfigurations.PublicIPAddressAssign public IP: $nic1.ipconfigurations.PublicIPAddress = $pubipSet updated configuration: Set-AzureRmNetworkInterface -NetworkInterface $nic1
Network security within Azure Virtual Networks (VNets) is primarily achieved through the use of Network Security Groups (NSGs). In this lesson we'll discuss and configure NSGs, and specifically consider the following: The flow of traffic when no NSGs are appliedThe flow of traffic when an NSG is applied to a NICThe flow of traffic when an NSG is applied to a NIC and a subnet Important note: It is important to be mindful of the differences between a public IP using the basic SKU, compared to the standard SKU as mentioned in the Public and Private IP Addressing lesson. When you use the basic SKU and use no NSGs, all traffic is allowed. When you use the standard SKU and use no NSGs, all traffic is denied.
VNet Routing and Connectivity
It is important to understand the default routing of traffic within Virtual Networks (VNets), as well as how this behaviour can be modified. In this lesson we'll discuss and configure custom routes within a VNet, and look at the effective routes for NIC.
Within Azure it is not possible to perform an operating system (OS) installation. This is the first problem, which VM images help us to solve. In this lesson, we will take a look at both marketplace images and custom images, and discuss how they can be used and created. Commands used in this lesson: Get image publishers: Get-AzureRmVmImagePublisher -location australiasoutheast | select publishernameGet image offer: Get-AzureRmVmImageOffer -Location australiasoutheast -publisher canonical | Select OfferGet image SKU: Get-AzureRmVmImageSku -Location australiasoutheast -Publisher canonical -Offer UbuntuServer | Select SkusGet image: Get-AzureRMVMImage -Location australiasoutheast -Publisher canonical -Offer ubuntuserver -Sku 16.04-lts | Select VersionSet VM source image: Set-AzureRmVMSourceImage -PublisherName Canonical -Offer UbuntuServer -Skus 16.04-LTS -version latest
Within this lesson we will discuss VM storage, including managed and unmanaged disks, and the different performance tiers we can configure.
VM extensions are lightweight applications or services which we can provision as a property of the VM itself. In this lesson we will discuss VM extensions, and consider the two main scenarios in which they are used; VM monitoring, and post-deployment configuration.
Through the use of network interface (NIC) we can provide a VM with connectivity to a Virtual Network. As we have already discussed the NIC separately, this lesson focuses on special considerations from the operating system perspective, and for the scenario when IP forwarding is required.
There are a number of important characteristics of the storage account which we need to be cognizant of as a solution architect. This lesson takes a detailed look at the main properties of a storage account, including the type/kind, performance tier, access tier, and replication options. Commands used in this lesson: Create storage account: New-AzureRmStorageAccount -ResourceGroupName lab01rg -AccountName lalabsa02 -Location australiaeast -Kind BlobStorage -SkuName Standard_GRS -AccessTier HotCreate storage account: New-AzureRmStorageAccount -ResourceGroupName lab01rg -AccountName lalabsa03 -Location australiaeast -Kind Storage -SkuName Standard_LRS -AccessTier Hot
Storage Account Security
Within this lesson we focus on the main ways in which a storage account can be secured, including: Access KeysAccount Shared Access Signatures (SAS)Service Shared Access Signatures (SAS) Whilst configuring and observing these in action, we will also consider some limitations of the SAS and how stored access policies can be used to help with their management.
Storage Account Networking
Storage accounts are publicly accessible by default. In order to manage security and help optimize network connectivity, there are two features of storage accounts we can configure: Storage account firewallsService endpoints for Microsoft storage In this lesson we will discuss and configure these networking features, and observe their impact through Storage Explorer. Commands used in this lesson: Configure service endpoint: az network vnet subnet update -g vnet1rg --vnet-name vnet1 -n subnet1 --service-endpoints "Microsoft.Storage"
Azure Monitor is Microsoft's collection of features and services for end to end management and monitoring of Azure services and resources. Within this lesson we will look at the different sources and types of monitoring data, as well as what we can do with the information. Important Note: this is an overview lesson to help demonstrate the different components of Azure Monitor. Microsoft have taken a range of services (which were once separate) and placed them within "Azure Monitor". This is an ongoing change by Microsoft, and so somethings can be quite complicated/messy. If you are following along, you may find some things (such as Log Analytics) are not yet setup. We will configure this in later videos within this section.
Activity Log provides us with the ability to review different operations and activities occurring across our subscription. Within this lesson we will look at the different types and sources of information visible within the Activity Log, and specifically some examples for a storage account.
Alerts and Action Groups
Within Azure Monitor is the ability to monitor for different conditions and alert when the criteria is met. In this lesson we will confiugre an alert end-to-end, and then look at how to manage alerts which have been triggered.
Log Analytics is a service within Azure Monitor which enables us to store and query a range of different log data. In this lesson we will look at the functionality of Log Analytics, and get started with the creation of our first Log Analytics workspace.
Following on from the previous lesson on Log Analytics, in this lesson we will take a look at how to perform queries on log data. Specifically we will consider the log query language, the schema of log data stored in our workspace, and how to save queries as a function for later re-use. Queries used in this lesson: AzureActivity | limit 50AzureActivity | where OperationName == "Regenerate Storage Account Keys"AzureActivity | where Caller == "email@example.com"
Managing costs is an important part of every solution architect's job. In this lesson we look at three tips for managing costs. Azure Pricing Calculator - providing cost estimates and pricing information for resourcesCost Analysis within the Azure Portal - providing detailed information on the cost of resources running in your subscriptionAzure Advisor - providing recommendations on how to optimize spend, specifically tailored to your subscription
Advanced and Automated Infrastructure
Virtual Networks (VNets) are isolated and private networks. By default, there is no connectivity between VNets. Resources in VNets can only talk to other resources in the same VNet, or publicly over the Internet. VNet Peering allows us to privately connect VNets together, so that resources can talk via private IP across VNets. In this lesson we will configure and test VNet Peering, as well as discuss a number of special configuration items and limitations. Commands used in this lesson: Create VNet peer: az network vnet peering create -g vnet1rg -n vnet1-to-vnet3-peer --vnet-name vnet1 --remote-vnet /subscriptions/xx-xx-xx/resourceGroups/vnet3rg/providers/Microsoft.Network/virtualNetworks/vnet3 --allow-vnet-accessCreate return VNet peer: az network vnet peering create -g vnet3rg -n vnet3-to-vnet1-peer --vnet-name vnet3 --remote-vnet /subscriptions/xx-xx-xx/resourceGroups/vnet1rg/providers/Microsoft.Network/virtualNetworks/vnet1 --allow-vnet-access
Virtual Machine High Availability
VM High Availability
This lesson provides an overview of the different options available to us to implement highly available VMs. Through this lesson we'll cover some of the high level concepts, services, and foundational knowledge. This helps set the stage for the remaining detailed lessons within this section. Helpful links: Understand SLA requirements for VM's: https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_8/
VM Availability Sets
Availability Sets are an important tool which we use to ensure Virtual Machines are highly available. By placing VMs which serve the same purpose in to the same Availability Set, we're essentially asking Microsoft to help ensure they don't all go offline at the same time. In this lesson we'll learn about Availability Sets, Fault Domains, Update Domains, and how we use these to ensure that our solution remains highly available.
VM Scale Sets
Virtual Machine Scale Sets help us to achieve both high availability and dynamic elasticity. It's a very useful service when combined with load balancing, such as the Azure Load Balancer to Application Gateway. In this lesson we'll discuss and configure a VM Scale Set, including: The definition of the VM within our VM Scale SetAutoscaling and the different ways in which autoscale is configured
Azure Load Balancer
For most highly-available (HA) solutions, the architecture includes multiple, duplicate resources, which actually serve the solution to end-users. This HA architecture should be transparent to them. An Azure Load Balancer helps achieve this, by providing a centralized address which users can access. User requests and replies are then transparently managed by the Azure Load Balancer. In this lesson, we confugre an Azure Load Balancer to make a VM Scale Set hosted website highly available.
Azure Application Gateway
The Azure Application Gateway is used for routing and distributing web application traffic. While the Load Balancer operates only at layer 4, the Application Gateway operates at layer 7. Operating at layer 7 allows the Application Gateway to provide more advanced web application specific features. URL path-based forwarding, SSL offload, and protection against web application vulnerabilities and threats are some good examples. In this lesson, we will configure the Application Gateway to forward web traffic to a web application that is hosted on a VM Scale Set. Additionally we will configure path-based fowarding to leverage an additional VM.
Automated VM Deployments
Automated deployments are one of the many benefits of cloud. When we want to automate the deployments of Virtual Machines (VMs) within Azure, we do it using a combination of Azure Resource Manager (ARM) Templates, and tools such as PowerShell, CLI, or code. In this lesson you will become familiar with: Azure Resource Manager TemplatesThe definition of a VM resource, including storage profileWhere you can monitor deployments in the portalHow to download ARM Templates from the portal Commands used in this lesson: New resource group: New-AzureRmResourceGroup -name deploytestrg -Location "Australia Southeast"Secure password: $pw = Read-Host "Enter Pass" -AsSecureStringNew deployment: New-AzureRmResourceGroupDeployment -ResourceGroupName deploytestrg -TemplateUri uri -adminUsername adm-jlee -adminPassword $pw
Identity and Access Management
Azure Active Directory
Azure Active Directory
Azure Active Directory (AD) provides us with a range of identity and access management (IAM) functionality, through a fully managed cloud service. Cloud based IAM is increasingly important as our users now work from a variety of locations and personal devices, and access applications in the cloud. Traditionally, all access has been from organization-controlled devices, at fixed locations, to applications that we manage. In this new world, Azure AD helps us to centralize identity management, provides our users with simplified experiences (for example single sign-on), and so on. Through this lesson we will discuss Azure AD, the association with Azure subscriptions, and how to configure custom domains.
Azure AD Device Management
Managing devices within Azure AD helps us to achieve a range of functionality, such as: Access control using device detailsImproved user sign-in experienceImproved user experience generally (using Enterprise State Roam)And much more Within this lesson, we'll discuss the three main ways of registering our devices within Azure AD. We'll also look at the configuration of Enterprise State Roam, and discuss how it provides a more seamless experience for our users.
Azure AD Self-Service Password Reset
With identity being so critical in today's cloud-centric world, it's important we ensure user logins work without issues. Self-Service Password Reset (SSPR) is one such Azure AD feature that helps to achieve that. SSPR provides end-users with the ability to reset their own passwords, without having to call a helpdesk. Through the use of authentication methods, such as secret questions, email, or text message, users can reset their own password after verifying their identity. In this lesson we will: Configure SSPREnable two authentication methodsTake a look at the end-user experience with SSPR
Azure AD Identity Protection
By using machine learning, Microsoft can alert us of things that appear "risky," with respect to Azure AD idenities. Azure AD Identity Protection looks for patterns across our environment, and is able to report when something looks suspicious. With modern organizations supporting multiple devices, locations, and cloud applications, it is important that we have as much control over identity as possible. In this lesson we will look at: What Azure Identity Protection isRisks and vulnerability assessmentsPolicies which can use this information to both proactively and reactively control authentication
Multi-factor authentication (MFA) helps secure user identities by adding an additional requirement for users logins. In most cases, users login with a username and a password. MFA refers to the need for something else to be required during login. It might be something like a mobile phone, a hardware token, or an email account. With MFA, a user then requires something they know (username + password) and something they have (mobile phone) to help protect against weak passwords, leaked credentials, etc. Throughout this course we look at: How to enable MFADifferent MFA authentication typesThe MFA enrolment process
Azure AD Conditional Access Policies
Azure AD provides a number of related services or features which improve access control. For example, multi-factor authentication and identity protection. In recent lessons we've seen how we can restrict access using these services. But what if we want to ignore MFA for a specific cloud app? What if we want to block any Azure admin access to the Azure portal if it is risky? Conditional access policies provide us with this type of flexibility, and the ability to assess and apply access restrictions based on a range of conditions. In this lesson we will: Discuss important conditional access featuresCreate a conditional access policyUse functionality for testing whether our policies will work the way we intend
Role-Based Access Control
Role-based access control (RBAC) provides us with the ability to manage permissions on resources within an Azure subscription. There are two main ways to assign RBAC permissions: Built-in, roles which are defined by Microsoft alreadyCustom roles, which we can define ourselves to configure allow/deny access exactly as we choose In this lesson, we'll cover: What RBAC achieves, compared to our other access controlsHow we can assign RBAC rolesHow we can configure and assign custom RBAC rolesHow to troubleshoot / view effective permissions Helpful commands and links: https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operationsTo create a custom role from our JSON definition: az role definition create --role-definition ./customRole.jsonWe could also assign the role from CLI: az role assignment create --role LAAzureAdmin --assignee username --resource-group rgname
Hybrid identity is the practice of creating a single user identity for authentication, and authorization to all resources whether they're on-premises or in the cloud. In order to have identity that exists in both places, on-premises and within Azure AD, we use a solution called Azure AD Connect. Within this lesson we'll take a look at: What Azure AD Connect is, and what it doesThe three main sign-on (authentication) modesSingle sign-on This lesson prepares us for the following lesson, Azure AD Connect, where we will actually configure hybrid identities.
Azure AD Connect
As we discussed in the previous lesson, Azure AD Connect is a Microsoft solution which allows us to configure hybrid identities. In this lesson, we'll walk through a demonstration installation of Azure AD Connect using Password Hash Sync (PHS). In this lesson, we will cover: Requirements for using Azure AD ConnectConfiguring Azure AD Connect with PHSHow staging mode is configuredUsing management tools to control syncrhonization Important tools and tips: Syncrhonization Service Manager allows management of the connectors and synchronization profilesSynchronization can be triggered using: Start-ADSyncSyncCycle: -PolicyType Intial option is for the initial sync-PolicyType Delta is for differential sync In staging mode, synchronization will run (both automatically or if you use the command) but will not do an actual export to Azure AD
Azure VPN Gateway
Azure VPN Gateway supports hybrid connectivity between an Azure Virtual Network (VNet) and: A remote site using site-to-site (S2S) VPNA single computer using peer-to-site (P2S) VPNAnother VNet using vnet-to-vnet When configuring a Virtual Network Gateway for VPN, we call this a VPN Gateway. Throughout this lesson we will: Configure a VPN GatewayConfigure a S2S VPN, including all required resourcesCover off some key considerations and properties
Azure VPN Gateway Troubleshooting
In Azure VPN Gateways, the underlying infrastructure is deployed to a GatewaySubnet and fully managed by Microsoft. This can make troubleshooting difficult. Because of this, it helps to know some of the methods available to us should we need to troubleshoot. In this lesson we'll take a look at: Network Watcher VPN Troubleshoot,Azure Gateway Health Probe. Helpful links https://YourVirtualNetworkGatewayIP:8081/healthprobe
ExpressRoute - Part 1
ExpressRoute provides a secure, and more direct, connection between on-premises networks and a Virtual Network (VNet) within Azure. Unlike a site-to-site VPN, ExpressRoute does not traverse the public Internet. Instead, peering providers are used to establish a redundant connection to the Microsoft network edge. Using ExpressRoute, we have access to Private and Public Peering. Private Peering provides connectivity to our VNet, whereas Public Peering provides direct connectivity to Microsoft services, such as Office 365. In Part 1 of this lesson, we will: Discuss the use cases for ExpressRouteLook at Private and Public PeeringConfigure a VNet Gateway using PowerShell In Part 2, we'll continue the configuration of ExpressRoute. PowerShell commands used in this lesson: Save our vnet1 information to a variable: $vnet1 = Get-AzureRmVirtualNetwork -ResourceGroupName vnet1rg -Name vnet1Save our GatewaySubnet information to a variable: $gwsubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet1Create a public IP for the VNet gateway: $gwIP = New-AzureRmPublicIpAddress -name "ergwip01" -ResourceGroupName $vnet1.ResourceGroupName -Location $vnet1.Location -AllocationMethod DynamicCreate the VNet gateway network config: $gwconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name "ergw01IpConfig" -SubnetId $gwsubnet.Id -PublicIpAddressId $gwIP.IdCreate the VNet gateway: $gw = New-AzureRmVirtualNetworkGateway -Name "ergw01" -ResourceGroupName $vnet1.ResourceGroupName -Location $vnet1.Location -IpConfigurations $gwconfig -GatewayType "ExpressRoute" -GatewaySku Standard
ExpressRoute - Part 2
In Part 2 of our lesson on ExpressRoute, we cover: The creation of an ExpressRoute circuitThe use of our Connection resourceImportant information about the provisioning processImportant information about routing/peering configuration
Azure Site Recovery Migrations
Azure Backups is a managed backup service provided by Microsoft. It includes a range of tools to support backing up both Windows and Linux data from on-premises storage systems, other cloud environments, and Azure itself. Whichever Azure Backup tool we use, the first step is always going to be the creation of a recovery services vault. When configuring the software, we will also need to use the vault credentials, so that the software has access to store data in the recovery services vault. In this lesson, we will: Configure a Recovery Services VaultInstall the Microsoft Azure Recovery Services (MARS) agentRegister the agent with our vault using the credentialsPerform a backupPerform the recovery of data
Azure Site Recovery - Part 1
Using Azure Site Recovery (ASR), we gain access to two main features. First, we get access to disaster recovery through the use of replication and site failover. Second, we can use the same functionality to help perform migrations of on-premises or AWS servers across to Azure. In part 1 of this lesson on ASR we will: Discuss the key components and tools of ASRGet started configuring our demo environment for migration Be sure to check out Part 2 of this lesson, where we will conclude the installation and configuration of ASR for migrations.
Azure Site Recovery - Part 2
In part 2 of the Azure Site Recovery (ASR) lesson, we continue with the installation and configuration of ASR for migration. Through this lesson we will: Complete the preparation of the source environment,Configure replication with ASR for a test server,Review migration options using failover.
Compute and Container Based Apps
Azure Container Registry
Az part of working with containers, it helps to have a way for maintaining the container images you develop. Azure Container Registry is a Microsoft managed implementation for managing those images, and it's compatible with Docker Registry v2.0. Whilst containers do not feature heavily in AZ-300, we will still take a glance at them, and their purposes. Through this lesson, we will: Discuss the fundamentals of containersCreate a docker container imageCreate an Azure Container Registry repositoryPush our image to our new repository Command line tools used in this lesson: To build our image: docker build -t hellola-web:v1 .To create the registry: az acr create --resource-group containersrg --name laazreg01 --sku BasicTo prepare our image: docker tag hellola-web:v1 laazreg01.azurecr.io/hellola-web:v1To log into our registry: docker login laazreg01.azurecr.ioTo upload our image: Docker push laazreg01.azurecr.io/hellola-web:v1
Azure Container Instances
Once a container instance is developed, it needs to be deployed container engine, in order for it to run. We refer to the running image as a container. Microsoft provides a really easy-to-use service for deploying and running containers: Azure Container Instances. In this lesson we will: Discuss when we should use Azure Container InstancesDeploy a container from the image we created earlierTest that our container is working
Azure Kubernetes Service
Kubernetes itself is an open-source solution, which helps with the management of a multi-container environment. Using Azure Kubernetes Service (AKS), we can easily deploy a fully managed Kubernetes cluster. Throughout this lesson, we will: Discuss when to use AKSCreate an AKS clusterReview AKS management options within the portalConsider Kubernetes cluster management options
Azure Web Apps
Azure Web Apps is a platform-as-a-service (PaaS) solution which simplifies the deployment of web apps to the cloud. Using Web Apps, there's no need to manage the underlying infrastructure. They also provide features like auto-scale, SSL, custom domains, and more. Through this lesson we'll work through the: Creation of an App Service PlanDeployment of a Web App using a container image
Background Tasks with WebJobs
Using WebJobs for Web Apps, we can create background tasks that run continuously, run on a schedule, or get manually triggered. In this lesson, we cover the key elements of WebJobs, including: How to configure WebJobs in the Azure PortalApp Settings which we need to configure for Continous WebJobsThe folder location of WebJobs within App_DataHow to manage WebJobs and view log information Helpful information and links: Note: WebJobs is not supported for App Service on LinuxUsing CRON schedules: https://docs.microsoft.com/en-us/azure/app-service/webjobs-create#cron-expressions
Develop for the Cloud
Note: The Azure Portal interface has changed since this lesson was recorded. All concepts taught in this lesson are still valid and remain unchanged. You will also see that the 'Application Settings' section has changed to 'Configuration' and includes settings across two tabs. Traditional monolithic applications have various different components performing different functions. Some times an application might be sitting idle, just waiting for something to happen. For example, if an application is responsible for encoding media files, it needs to await the upload of those files before it can get started. Azure Functions helps in these scenarios, by allowing us to create very focused code which serves a single purpose. Whilst the code is not operating, we don't have to pay for the underlying infrastructure (when using the Consumption Plan). In this lesson, we will: Create an Azure Function AppCreate a Function within the Function AppConfigure a trigger, and output bindingTake a look at management operations
Logic Apps are often referred to as "the glue that binds services together." Through advanced workflows, Logic Apps can integrate a plethora of services together, in a range of different ways. For example, we might need to monitor storage for uploads. Once a file is uploaded, we may need to call a Function App, send an email, and create a transaction record in our database. In this lesson we will: Create a Logic AppWalkthrough a basic workflow which deletes old blobs in Blob StorageReview some key management operations
Message-based Integration Architecture
Note: The Azure Portal interface has been updated and may appear different for you. All concepts taught in this lesson are still valid & remain unchanged. Event Grid is a managed service for the publishing of and subscribing to event information. Events are small pieces of information about something that has happened. Using Event Grid we can avoid the need for our backend application having to constantly poll/query something when monitoring for an event. Instead, our backend application can subscribe to an Event Grid topic, and wait to be sent that information once the event occurs. Through this lesson we will: Discuss the core components of Event GridConsider an example of when to use Event GridCreate an Event Grid, Topic, and SubscriptionUse the Python SDK to publish information to the Topic Helpful Links: Event Grid SDK's: https://docs.microsoft.com/en-us/azure/event-grid/sdk-overviewCode samples: https://azure.microsoft.com/en-us/resources/samples/?sort=0&service=event-gridPython specific code sample: https://azure.microsoft.com/en-us/resources/samples/event-grid-python-public-consume-events/
Notification Hubs is a fully managed, cross-platform solution for simplifying the use of push notification services (PNS). In this lesson we will: Discuss the use cases of Notification Hubs,Configure a Notification Hub, andWalk through the resource hierarchy and security. Important Notes: The Notification Hub is accessed via namespacename.servicebus.windows.net, Access to the hub is restricted with the access policies,You must register with each PNS you need to support. See an example for configuring iOS here: https://docs.microsoft.com/en-au/azure/notification-hubs/notification-hubs-ios-apple-push-notification-apns-get-started
An Event Hub is a massively scaling event ingestion and streaming service, fully managed by Microsoft. Typical use cases for Event Hubs would include live dashboards at banks that monitor data, process transactions, or detect anomalies. Event Hubs process millions of events per second, and enable a publish-subscribe model which supports partitioned consumer programming patterns. Through this lesson we will cover: Event Hub resource hierarchyCreation of an Event Hub within a namespaceImportant information about securityPartitioned consumer model
Services Bus is one of Microsoft's many messaging and integration services. It's typically used when delivering very important messages between solutions. Service Bus provides a range of capabilities which ensure that messages are delivered without issue, are not lost, and are not duplicated. Throughout this lesson we will: Discuss the features and benefits of Service BusConfigure a Service Bus and walkthrough the resource hierarchyConfigure both queues and topicsCover a range of important queue properties
If an on-premises solution needs public accessibility and connectivity, Azure Relay can help. Using the Azure Relay SDK's, it's possible to create either a Hybrid Connection or WCF Relay that provides public connectivity to on-premises services, without requiring major firewall changes. Through this lesson we will cover: Creation of a Azure Relay namespaceConfiguration of a Hybrid ConnectionConfiguration of authenticationDemonstration of sample code for sending/receiving information through the relay Useful links: Microsoft sample code and guidance: https://docs.microsoft.com/en-us/azure/service-bus-relay/relay-hybrid-connections-node-get-startedAzure Relay SDK/API information: https://docs.microsoft.com/en-us/azure/service-bus-relay/relay-api-overview
Authentication and Data Security
Using a Managed Identity, we can securely authenticate Azure services against other Azure services. This helps to avoid the need for storing and rotating credentials within code, which could potentially be exploited. In this lesson we will: Associate a Managed Identity with a VMAssign the identity permissions to a subscriptionRetrieve a token from the Instance Metadata ServiceUse that token to authenticate against the ARM API Commands used in this lesson include: Retrieve the token: curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -H Metadata:trueRetrieving resource group info: curl -H "Authorization: Bearer <TOKEN>" https://management.azure.com/subscriptions/<SUB>/resourceGroups/<RG>?api-version=2016-09-01Retrieve resource group info: curl -H "Authorization: Bearer <TOKEN>" https://management.azure.com/subscriptions/<SUB>/resourceGroups/1?api-version=2016-09-01Delete resource group: curl -X DELETE https://management.azure.com/subscriptions/<SUB>/resourceGroups/<RG>?api-version=2018-05-01 -H "Authorization: Bearer <TOKEN>
Through research and development, Microsoft have been investing in securing Azure resources in a range of ways. Confidential Compute focuses on efforts toward encrypting data "in use". Generally when we talk about encryption, we focus on "at rest", and "in transit". Encryption in use is achieved through the use of Trusted Execution Environments (TEEs). In order to harness TEEs, we must use the Open Enclave SDK. Through this lesson we will: Discuss the purpose of Confidential ComputeConsider the use of the Open Enclave SDKNavigate through the creation of Confidential Compute VMsDiscuss various requirements and concepts
Where do applications and scripts store confidential information securely? The Azure Key Vault. The Key Vault is designed for securely storing secrets, keys, and certificates, all with programmatic access in mind. Using the Key Vault API we can create, delete, and manage entities within the Key Vault. Note: Managed Identities aren't required for interacting with the Key Vault service, however they help avoid the need for storing credentials to access Key Vault itself (which can defeat the purpose). In this lesson we will: Use Managed Service Identity for a Virtual Machine, to securely access a Key VaultManage access controls for the Key Vault data planeWalkthrough a Python script, which will securely access and retrieve a secret from our Key Vault Helpful Links: Microsoft tutorial on accessing the Key Vault with the API and Python: https://docs.microsoft.com/en-us/azure/key-vault/tutorial-python-linux-virtual-machineKey Vault REST API Reference: https://docs.microsoft.com/en-us/rest/api/keyvault/
Azure Disk Encryption
Azure Disk Encryption (ADE) is a service which protects information on your Virtual Machine (VM) Operating System and Data disks. Whereas Storage Service Encryption (SSE, which is enabled by default) protects your VM disks at rest in the Microsoft datacenters, ADE encrypts the information inside the disks itself. Through this lesson, we will: Configure a Key Vault for ADEEnable ADE on a virtual machineCheck the status of encryption Helpful Links: Enabling encryption: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-windows
Database Services (as per updated AZ-300 exam 02/22/2019)
Azure SQL Database
Azure SQL Database: Part 1
Azure SQL Database is Microsoft's fully managed, SQL Server-as-a-service solution. It includes a range of options with functionality like an on-premises SQL Server. Working with Azure SQL Database helps avoid the need for managing underlying infrastructure, and provides an easy way to get up and running with cloud-based relational databases. In Part 1 of this lesson, we will: Discuss the three main types of Azure SQL DatabaseConfigure a SQL Server, Elastic Pool, and DatabaseDiscuss authentication and encryption options
Azure SQL Database: Part 2
In Part 2 of the Azure SQL Database lesson, we will walkthrough some basic code which uses SQL queries that view and modify our database. In this lesson we will: Use Node.JS to connect to our databaseUse SQL query language to view and modify tables. Helpful links: Tedious Node.JS module for SQL interactionMicrosoft Node.JS getting started guide
Cosmos DB: Part 1
Cosmos DB is a multi-master, multi-mode, planet-scale managed database solution. With Cosmos DB you can develop applications that will have rapid and reliable access to data all over the world. Cosmos DB is a distributed database with transparent replication. In Part 1 of this lesson, we will: Create a Cosmos DB namespaceDiscuss various configuration itemsUse code to create a database, collection, and items In Part 2, we will discuss the importance of partitioning and default consistency levels. Helpful Links: Cosmos DB SDK notesPython getting started
Cosmos DB: Part 2
In Part 2 of our Cosmos DB lessons, we discuss two important design considerations: partitioning, and consistency. Partitioning is focused on the way in which data is distributed across infrastructure for high availability and scalability. Consistency refers to how "up to date" our information will be in a globally distributed model. For example, if data is written in Australia and then read in America, will the America read transaction have to wait until synchronizing with Australia? Or is it OK for the read transaction to return old information, so long as it eventually becomes "current". In this lesson we will discuss: The importance of partitioningTips for selecting a partition keyThe importance of consistencyThe five different consistency options available Helpful links: Choosing a partition keyConsistency levels
Congratulations!! You have completed over 70 lessons, learnt about more than 25 Azure services, and covered even more features and configurations. In this video we'll go over some tips for how to prepare for the AZ-300 exam, including hands-on labs, flash cards, and the practice exam. I'm very thankful to you for coming along on this learning journey with me. If you have any questions please feel welcome to reach out! I'll see you in the next course! Please reach out to me directly with any questions or concerns, or through our community. I'm always happy to help: Email: firstname.lastname@example.orgLinkedIn: James LeeTwitter: @jamesdpleeSlack: I'm always in the #azure and #az-300 channels (you can join our community slack here)
About the Exam
The AZ-300 exam is one of two exams required to become certified as a Microsoft Certified Azure Solutions Architect Expert. You can book the exam at the following link: https://www.microsoft.com/en-us/learning/exam-az-300.aspx In most locations, this exam can be taken either online (Online Proctored) or on-site at an exam testing center. If you have any questions or concerns about the course, or the AZ-300 exam, please feel welcome to reach out to myself or the Linux Academy community.
AZ-300: Microsoft Azure Architect Technologies - Practice Exam