Microsoft Azure Architect Technologies – Exam AZ-300
This course is designed to help you master the requisite skills required for the Microsoft Azure AZ-300 certification exam.
The AZ-300 exam is an expert level exam which tests candidates for advanced knowledge and experience working with various aspects of Microsoft Azure.
Throughout this course you will progressively build and expand upon both your knowledge, and hands-on experience working with Azure technologies including, but not limited to: infrastructure and operations, advanced and automated infrastructure, identity and security, hybrid cloud, and developing apps and services for the cloud.NOTE: Microsoft is replacing the AZ-300 exam with the AZ-303 exam. The AZ-303 course is currently under development. In the interim, feel free to continue with the AZ-300 course, but please be aware that the content may contain outdated user interfaces.
Welcome to the Course
This course will help you on your journey to becoming an Azure Solution Architect. Through a range of video lessons, hands-on labs, and other content, you will learn all the knowledge and skills required for the Microsoft AZ-300 exam. The AZ-300 exam tests both technical knowledge, and familiarity with the Azure management tools and services. This course is structured to help wiith both. Starting with a recap of Azure fundamentals, we will progressively build knowledge, skills, and intamacy with a range of Azure technologies. Important Note Whilst this course is structured to cater to different skill levels, AZ-300 is an expert level exam. As such it is expected that you will already be familiar with Azure concepts, technologies, and tools. Exam Update: Microsoft is replacing the AZ-300 exam with the AZ-303 exam. The AZ-303 course is currently under development. In the interim, feel free to continue with the AZ-300 course, but please be aware that the content may contain outdated user interfaces. Helpful SupportReach out to me directly with any questions or concerns; my passion is to help you be successful with Azure Join the Linux Academy Community Slack here and check out the #azure and #az-300 channels The Linux Academy Community provides you with access to like-minded students and staff who can help you learn!
About the Training Architect
G'day (as we say in Australia)! It's great to be with you. My name is James Lee, and I'll be your training architect for this course. I'm really excited to be helping you on your training journey. I'd love to hear from you, so please do feel welcome to reach out to me in community or Twitter @jamesdplee.
Using the Blueshift Guide
The Blueshift Guide is used throughout the AZ-300 course to help illustrate important concepts. You can use this interactive diagram whilst following along with lessons, and as as a study guide by itself. The Blueshift Guide: https://interactive.linuxacademy.com/diagrams/TheBlueShiftGuide.html
Building the Basics
Azure Overview - Part 1
In this lesson we will discuss some of the core anatomy of Azure. In Part 1 our focus wil be on the subscription and services layer, and includes a refresher on subscriptions, resource groups, and the relationship with Azure AD Tenants.
Azure Overview - Part 2
In this lesson, we will take a look at the physical layer of Azure. This high-level overview provides a refresher on the composition of Azure in terms of geography and networking.
Getting Started with Virtual Networks
Starting off with a high-level refresher on Virtual Networks (VNet), this "getting started" lesson walks through the creation of our first VNet, which we will continue to use throughout the course.
Getting Started with Storage Accounts
In this lesson we will get an overview of Azure Storage Accounts. We have two main goals for this lesson:Provide a refresher on Storage Accounts Create a Storage Account we can use throughout the course
Getting Started with Virtual Machines
In this lesson we will get started with Virtual Machines. There are two main items we will focus on:A very high-level recap of Virtual Machines Creating our first Virtual Machine to use throughout this course
Subnets are an important part of virtual networking, as these are where most of the action occurs.
In this lesson, we will take a look at subnet configuration, including the application of security and routing.
Note: As this is the first lesson which uses the Cloud Shell, if you are following along in your own subscription you may need to configure your Cloud Shell storage for first time use.
Commands used in this lesson:List existing vnets:
az network vnet list --output table
az network vnet subnet create -g vnet1rg --vnet-name vnet1 -n subnet2 --address-prefix 10.1.2.0/24For more details on
az commands, see:
A Network Interface (also referred to as a NIC) is an independent resource within Azure. It is through a NIC that we are able to provide connectivity to resources on the Virtual Network (VNet).
In this lesson we will discuss and configure a NIC, including the important sub-configuration item: IP Configuration.
Commands used in this lesson:Create a NIC:
az network nic create -g vnet1rg --vnet-name vnet1 --subnet subnet1 -n nic1
Public and Private IPs
In this lesson we take a look at the two types of IP addresses: public and private.
Within Azure, a public IP address is an independent resource which can be assigned to other network services, providing public accessibility. Private IP addresses, on the other hand, are typically sub-configuration items of various services themselves.
Commands used in this lesson:
Please note: Microsoft has updated PowerShell with a new, but very similar module for managing Azure. The concepts in this video are still correct. An update is planned to include the new PowerShell modules.Get NIC info:
$nic1 = Get-AzureRmNetworkInterface -ResourceGroupName vnet1rg -Name nic1
Get public IP info:
$pubip = Get-AzureRmPublicIpAddress -ResourceGroupName lab01rg -name pubip01
Get NIC IP Config:
Get public IP of NIC IP configuration 0:
Assign public IP:
$nic1.ipconfigurations.PublicIPAddress = $pubip
Set updated configuration:
Set-AzureRmNetworkInterface -NetworkInterface $nic1
Network security within Azure Virtual Networks (VNets) is primarily achieved through the use of Network Security Groups (NSGs). In this lesson we'll discuss and configure NSGs, and specifically consider the following:The flow of traffic when no NSGs are applied The flow of traffic when an NSG is applied to a NIC The flow of traffic when an NSG is applied to a NIC and a subnetImportant note: It is important to be mindful of the differences between a public IP using the basic SKU, compared to the standard SKU as mentioned in the Public and Private IP Addressing lesson. When you use the basic SKU and use no NSGs, all traffic is allowed. When you use the standard SKU and use no NSGs, all traffic is denied.
VNet Routing and Connectivity
It is important to understand the default routing of traffic within Virtual Networks (VNets), as well as how this behaviour can be modified. In this lesson we'll discuss and configure custom routes within a VNet, and look at the effective routes for NIC.
Within Azure it is not possible to perform an operating system (OS) installation. This is the first problem, which VM images help us to solve.
In this lesson, we will take a look at both marketplace images and custom images, and discuss how they can be used and created.
Commands used in this lesson:
Please note: Microsoft has updated PowerShell with a new, but very similar module for managing Azure. The concepts in this video are still correct. An update is planned to include the new PowerShell modules.Get image publishers:
Get-AzureRmVmImagePublisher -location australiasoutheast | select publishername
Get image offer:
Get-AzureRmVmImageOffer -Location australiasoutheast -publisher canonical | Select Offer
Get image SKU:
Get-AzureRmVmImageSku -Location australiasoutheast -Publisher canonical -Offer UbuntuServer | Select Skus
Get-AzureRMVMImage -Location australiasoutheast -Publisher canonical -Offer ubuntuserver -Sku 16.04-lts | Select Version
Set VM source image:
Set-AzureRmVMSourceImage -PublisherName Canonical -Offer UbuntuServer -Skus 16.04-LTS -version latest
Within this lesson we will discuss VM storage, including managed and unmanaged disks, and the different performance tiers we can configure.
VM extensions are lightweight applications or services which we can provision as a property of the VM itself. In this lesson we will discuss VM extensions, and consider the two main scenarios in which they are used; VM monitoring, and post-deployment configuration.
Through the use of network interface (NIC) we can provide a VM with connectivity to a Virtual Network. As we have already discussed the NIC separately, this lesson focuses on special considerations from the operating system perspective, and for the scenario when IP forwarding is required.
There are a number of important characteristics of the storage account which we need to be cognizant of as a solution architect.
This lesson takes a detailed look at the main properties of a storage account, including the type/kind, performance tier, access tier, and replication options.
Commands used in this lesson:
Please note: Microsoft has updated PowerShell with a new, but very similar module for managing Azure. The concepts in this video are still correct. An update is planned to include the new PowerShell modules.Create storage account:
New-AzureRmStorageAccount -ResourceGroupName lab01rg -AccountName lalabsa02 -Location australiaeast -Kind BlobStorage -SkuName Standard_GRS -AccessTier Hot
Create storage account:
New-AzureRmStorageAccount -ResourceGroupName lab01rg -AccountName lalabsa03 -Location australiaeast -Kind Storage -SkuName Standard_LRS
Storage Account Security
Within this lesson we focus on the main ways in which a storage account can be secured, including:Access Keys Account Shared Access Signatures (SAS) Service Shared Access Signatures (SAS)Whilst configuring and observing these in action, we will also consider some limitations of the SAS and how stored access policies can be used to help with their management.
Storage Account Networking
Storage accounts are publicly accessible by default. In order to manage security and help optimize network connectivity, there are two features of storage accounts we can configure:Storage account firewalls
Service endpoints for Microsoft storageIn this lesson we will discuss and configure these networking features, and observe their impact through Storage Explorer.
Commands used in this lesson:Configure service endpoint:
az network vnet subnet update -g vnet1rg --vnet-name vnet1 -n subnet1 --service-endpoints "Microsoft.Storage"
Azure Monitor is Microsoft's collection of features and services for end to end management and monitoring of Azure services and resources. Within this lesson we will look at the different sources and types of monitoring data, as well as what we can do with the information. Important Note: this is an overview lesson to help demonstrate the different components of Azure Monitor. Microsoft have taken a range of services (which were once separate) and placed them within "Azure Monitor". This is an ongoing change by Microsoft, and so somethings can be quite complicated/messy. If you are following along, you may find some things (such as Log Analytics) are not yet setup. We will configure this in later videos within this section.
Activity Log provides us with the ability to review different operations and activities occurring across our subscription. Within this lesson we will look at the different types and sources of information visible within the Activity Log, and specifically some examples for a storage account.
Alerts and Action Groups
Within Azure Monitor is the ability to monitor for different conditions and alert when the criteria is met. In this lesson we will confiugre an alert end-to-end, and then look at how to manage alerts which have been triggered.
Log Analytics is a service within Azure Monitor which enables us to store and query a range of different log data. In this lesson we will look at the functionality of Log Analytics, and get started with the creation of our first Log Analytics workspace.
Following on from the previous lesson on Log Analytics, in this lesson we will take a look at how to perform queries on log data.
Specifically we will consider the log query language, the schema of log data stored in our workspace, and how to save queries as a function for later re-use.
Queries used in this lesson:
AzureActivity | limit 50
AzureActivity | where OperationName == "Regenerate Storage Account Keys"
AzureActivity | where Caller == "email@example.com"
Managing costs is an important part of every solution architect's job. In this lesson we look at three tips for managing costs.Azure Pricing Calculator - providing cost estimates and pricing information for resources Cost Analysis within the Azure Portal - providing detailed information on the cost of resources running in your subscription Azure Advisor - providing recommendations on how to optimize spend, specifically tailored to your subscription
Virtual Networks (VNets) are isolated and private networks. By default, there is no connectivity between VNets. Resources in VNets can only talk to other resources in the same VNet, or publicly over the Internet.
VNet Peering allows us to privately connect VNets together, so that resources can talk via private IP across VNets.
In this lesson we will configure and test VNet Peering, as well as discuss a number of special configuration items and limitations.
Commands used in this lesson:Create VNet peer:
az network vnet peering create -g vnet1rg -n vnet1-to-vnet3-peer --vnet-name vnet1 --remote-vnet /subscriptions/xx-xx-xx/resourceGroups/vnet3rg/providers/Microsoft.Network/virtualNetworks/vnet3 --allow-vnet-access
Create return VNet peer:
az network vnet peering create -g vnet3rg -n vnet3-to-vnet1-peer --vnet-name vnet3 --remote-vnet /subscriptions/xx-xx-xx/resourceGroups/vnet1rg/providers/Microsoft.Network/virtualNetworks/vnet1 --allow-vnet-access
Virtual Machine High Availability
VM High Availability
This lesson provides an overview of the different options available to us to implement highly available VMs. Through this lesson we'll cover some of the high level concepts, services, and foundational knowledge. This helps set the stage for the remaining detailed lessons within this section. Helpful links:Understand SLA requirements for VM's: https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_8/
VM Availability Sets
Availability Sets are an important tool which we use to ensure Virtual Machines are highly available. By placing VMs which serve the same purpose in to the same Availability Set, we're essentially asking Microsoft to help ensure they don't all go offline at the same time. In this lesson we'll learn about Availability Sets, Fault Domains, Update Domains, and how we use these to ensure that our solution remains highly available.
VM Scale Sets
Virtual Machine Scale Sets help us to achieve both high availability and dynamic elasticity. It's a very useful service when combined with load balancing, such as the Azure Load Balancer to Application Gateway. In this lesson we'll discuss and configure a VM Scale Set, including:The definition of the VM within our VM Scale Set Autoscaling and the different ways in which autoscale is configured
Azure Load Balancer
For most highly-available (HA) solutions, the architecture includes multiple, duplicate resources, which actually serve the solution to end-users. This HA architecture should be transparent to them. An Azure Load Balancer helps achieve this, by providing a centralized address which users can access. User requests and replies are then transparently managed by the Azure Load Balancer. In this lesson, we confugre an Azure Load Balancer to make a VM Scale Set hosted website highly available.
Azure Application Gateway
Please be aware: Microsoft have updated the Azure Portal experience for creating an Application Gateway. This lesson is planned for an update. The concepts taught in this lesson are still correct, and you may continue to use this lesson whilst the update is developed. The Azure Application Gateway is used for routing and distributing web application traffic. While the Load Balancer operates only at layer 4, the Application Gateway operates at layer 7. Operating at layer 7 allows the Application Gateway to provide more advanced web application specific features. URL path-based forwarding, SSL offload, and protection against web application vulnerabilities and threats are some good examples. In this lesson, we will configure the Application Gateway to forward web traffic to a web application that is hosted on a VM Scale Set. Additionally we will configure path-based fowarding to leverage an additional VM.
Automated VM Deployments
Automated deployments are one of the many benefits of cloud.
When we want to automate the deployments of Virtual Machines (VMs) within Azure, we do it using a combination of Azure Resource Manager (ARM) Templates, and tools such as PowerShell, CLI, or code.
In this lesson you will become familiar with:Azure Resource Manager Templates
The definition of a VM resource, including storage profile
Where you can monitor deployments in the portal
How to download ARM Templates from the portalCommands used in this lesson:
Please note: Microsoft has updated PowerShell with a new, but very similar module for managing Azure. The concepts in this video are still correct. An update is planned to include the new PowerShell modules.New resource group:
New-AzureRmResourceGroup -name deploytestrg -Location "Australia Southeast"
$pw = Read-Host "Enter Pass" -AsSecureString
New-AzureRmResourceGroupDeployment -ResourceGroupName deploytestrg -TemplateUri uri -adminUsername adm-jlee -adminPassword $pw
Azure Active Directory
Azure Active Directory
Azure Active Directory (AD) provides us with a range of identity and access management (IAM) functionality, through a fully managed cloud service. Cloud based IAM is increasingly important as our users now work from a variety of locations and personal devices, and access applications in the cloud. Traditionally, all access has been from organization-controlled devices, at fixed locations, to applications that we manage. In this new world, Azure AD helps us to centralize identity management, provides our users with simplified experiences (for example single sign-on), and so on. Through this lesson we will discuss Azure AD, the association with Azure subscriptions, and how to configure custom domains.
Azure AD Device Management
Managing devices within Azure AD helps us to achieve a range of functionality, such as:Access control using device details Improved user sign-in experience Improved user experience generally (using Enterprise State Roam) And much moreWithin this lesson, we'll discuss the three main ways of registering our devices within Azure AD. We'll also look at the configuration of Enterprise State Roam, and discuss how it provides a more seamless experience for our users.
Azure AD Self-Service Password Reset
With identity being so critical in today's cloud-centric world, it's important we ensure user logins work without issues. Self-Service Password Reset (SSPR) is one such Azure AD feature that helps to achieve that. SSPR provides end-users with the ability to reset their own passwords, without having to call a helpdesk. Through the use of authentication methods, such as secret questions, email, or text message, users can reset their own password after verifying their identity. In this lesson we will:Configure SSPR Enable two authentication methods Take a look at the end-user experience with SSPR
Azure AD Identity Protection
By using machine learning, Microsoft can alert us of things that appear "risky," with respect to Azure AD idenities. Azure AD Identity Protection looks for patterns across our environment, and is able to report when something looks suspicious. With modern organizations supporting multiple devices, locations, and cloud applications, it is important that we have as much control over identity as possible. In this lesson we will look at:What Azure Identity Protection is Risks and vulnerability assessments Policies which can use this information to both proactively and reactively control authentication
Multi-factor authentication (MFA) helps secure user identities by adding an additional requirement for users logins. In most cases, users login with a username and a password. MFA refers to the need for something else to be required during login. It might be something like a mobile phone, a hardware token, or an email account. With MFA, a user then requires something they know (username + password) and something they have (mobile phone) to help protect against weak passwords, leaked credentials, etc. Throughout this course we look at:How to enable MFA Different MFA authentication types The MFA enrolment process
Azure AD Conditional Access Policies
Azure AD provides a number of related services or features which improve access control. For example, multi-factor authentication and identity protection. In recent lessons we've seen how we can restrict access using these services. But what if we want to ignore MFA for a specific cloud app? What if we want to block any Azure admin access to the Azure portal if it is risky? Conditional access policies provide us with this type of flexibility, and the ability to assess and apply access restrictions based on a range of conditions. In this lesson we will:Discuss important conditional access features Create a conditional access policy Use functionality for testing whether our policies will work the way we intend
Role-Based Access Control
Role-based access control (RBAC) provides us with the ability to manage permissions on resources within an Azure subscription.
There are two main ways to assign RBAC permissions:Built-in, roles which are defined by Microsoft already
Custom roles, which we can define ourselves to configure allow/deny access exactly as we chooseIn this lesson, we'll cover:What RBAC achieves, compared to our other access controls
How we can assign RBAC roles
How we can configure and assign custom RBAC roles
How to troubleshoot / view effective permissionsHelpful commands and links:https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
To create a custom role from our JSON definition:
az role definition create --role-definition ./customRole.json
We could also assign the role from CLI:
az role assignment create --role LAAzureAdmin --assignee username --resource-group rgname
Hybrid identity is the practice of creating a single user identity for authentication, and authorization to all resources whether they're on-premises or in the cloud. In order to have identity that exists in both places, on-premises and within Azure AD, we use a solution called Azure AD Connect. Within this lesson we'll take a look at:What Azure AD Connect is, and what it does The three main sign-on (authentication) modes Single sign-onThis lesson prepares us for the following lesson, Azure AD Connect, where we will actually configure hybrid identities.
Azure AD Connect
As we discussed in the previous lesson, Azure AD Connect is a Microsoft solution which allows us to configure hybrid identities.
In this lesson, we'll walk through a demonstration installation of Azure AD Connect using Password Hash Sync (PHS).
In this lesson, we will cover:Requirements for using Azure AD Connect
Configuring Azure AD Connect with PHS
How staging mode is configured
Using management tools to control syncrhonizationImportant tools and tips:Failing to use a routable-domain for the user-principal name (UPN) can result in login issues
Syncrhonization Service Manager allows management of the connectors and synchronization profiles
Synchronization can be triggered using:
-PolicyType Intial option is for the initial sync
-PolicyType Delta is for differential syncIn staging mode, synchronization will run (both automatically or if you use the command) but will not do an actual export to Azure ADHelpful links:Azure AD Connect option comparison
Azure VPN Gateway
Azure VPN Gateway supports hybrid connectivity between an Azure Virtual Network (VNet) and:A remote site using site-to-site (S2S) VPN A single computer using peer-to-site (P2S) VPN Another VNet using vnet-to-vnetWhen configuring a Virtual Network Gateway for VPN, we call this a VPN Gateway. Throughout this lesson we will:Configure a VPN Gateway Configure a S2S VPN, including all required resources Cover off some key considerations and properties
Azure VPN Gateway Troubleshooting
In Azure VPN Gateways, the underlying infrastructure is deployed to a GatewaySubnet and fully managed by Microsoft. This can make troubleshooting difficult. Because of this, it helps to know some of the methods available to us should we need to troubleshoot. In this lesson we'll take a look at:Network Watcher VPN Troubleshoot, Azure Gateway Health Probe.Helpful linkshttps://YourVirtualNetworkGatewayIP:8081/healthprobe
ExpressRoute - Part 1
ExpressRoute provides a secure, and more direct, connection between on-premises networks and a Virtual Network (VNet) within Azure.
Unlike a site-to-site VPN, ExpressRoute does not traverse the public Internet. Instead, peering providers are used to establish a redundant connection to the Microsoft network edge.
Using ExpressRoute, we have access to Private and Public Peering. Private Peering provides connectivity to our VNet, whereas Public Peering provides direct connectivity to Microsoft services, such as Office 365.
In Part 1 of this lesson, we will:Discuss the use cases for ExpressRoute
Look at Private and Public Peering
Configure a VNet Gateway using PowerShellIn Part 2, we'll continue the configuration of ExpressRoute.
PowerShell commands used in this lesson:
Please note: Microsoft has updated PowerShell with a new, but very similar module for managing Azure. The concepts in this video are still correct. An update is planned to include the new PowerShell modules.Save our vnet1 information to a variable:
$vnet1 = Get-AzureRmVirtualNetwork -ResourceGroupName vnet1rg -Name vnet1
Save our GatewaySubnet information to a variable:
$gwsubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet1
Create a public IP for the VNet gateway:
$gwIP = New-AzureRmPublicIpAddress -name "ergwip01" -ResourceGroupName $vnet1.ResourceGroupName -Location $vnet1.Location -AllocationMethod Dynamic
Create the VNet gateway network config:
$gwconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name "ergw01IpConfig" -SubnetId $gwsubnet.Id -PublicIpAddressId $gwIP.Id
Create the VNet gateway:
$gw = New-AzureRmVirtualNetworkGateway -Name "ergw01" -ResourceGroupName $vnet1.ResourceGroupName -Location $vnet1.Location -IpConfigurations $gwconfig -GatewayType "ExpressRoute" -GatewaySku Standard
ExpressRoute - Part 2
In Part 2 of our lesson on ExpressRoute, we cover:The creation of an ExpressRoute circuit The use of our Connection resource Important information about the provisioning process Important information about routing/peering configuration
Azure Site Recovery Migrations
Azure Backups is a managed backup service provided by Microsoft. It includes a range of tools to support backing up both Windows and Linux data from on-premises storage systems, other cloud environments, and Azure itself. Whichever Azure Backup tool we use, the first step is always going to be the creation of a recovery services vault. When configuring the software, we will also need to use the vault credentials, so that the software has access to store data in the recovery services vault. In this lesson, we will:Configure a Recovery Services Vault Install the Microsoft Azure Recovery Services (MARS) agent Register the agent with our vault using the credentials Perform a backup Perform the recovery of dataPlease note that when you use Azure Backups you MUST keep a copy of your passphrase, as Microsoft cannot restore this for you. It is recommended you store this within your organization's enterprise password management tool. It is possible to use Azure Key Vault to store this, though that is not it's direct purpose.
Azure Site Recovery - Part 1
Using Azure Site Recovery (ASR), we gain access to two main features. First, we get access to disaster recovery through the use of replication and site failover. Second, we can use the same functionality to help perform migrations of on-premises or AWS servers across to Azure. In part 1 of this lesson on ASR we will:Discuss the key components and tools of ASR Get started configuring our demo environment for migrationBe sure to check out Part 2 of this lesson, where we will conclude the installation and configuration of ASR for migrations.
Azure Site Recovery - Part 2
In part 2 of the Azure Site Recovery (ASR) lesson, we continue with the installation and configuration of ASR for migration. Through this lesson we will:Complete the preparation of the source environment, Configure replication with ASR for a test server, Review migration options using failover.
Azure Container Registry
Az part of working with containers, it helps to have a way for maintaining the container images you develop.
Azure Container Registry is a Microsoft managed implementation for managing those images, and it's compatible with Docker Registry v2.0.
Whilst containers do not feature heavily in AZ-300, we will still take a glance at them, and their purposes.
Through this lesson, we will:
Discuss the fundamentals of containersCreate a docker container imageCreate an Azure Container Registry repositoryPush our image to our new repositoryDocker demonstration
**Please note:** within this lesson we will walk through a basic demonstration of using docker.
These steps are completed on macOS using Docker Desktop for Mac, but can be completed on many different operating systems.
If you wish to follow along, you will need:
Docker DesktopA text editor (VIM is used within the video, but any is fine)A CLI shell (e.g. PowerShell, Bash, etc.)You will not be expected to perform these tasks within AZ-300. This demonstration is purely to help provide some context.
Please see our other Docker courses here at Linux Academy if you would like to explore this topic further.
Command line tools used in this lesson:
To build our image:
docker build -t hellola-web:v1 .To create the registry:
az acr create --resource-group containersrg --name laazreg01 --sku BasicTo prepare our image:
docker tag hellola-web:v1 laazreg01.azurecr.io/hellola-web:v1To log into our registry:
docker login laazreg01.azurecr.ioTo upload our image:
Docker push laazreg01.azurecr.io/hellola-web:v1Code Content (if you wish to follow along):
Create a folder called
hellola wherever you wish to work on your file system (e.g.
/usr/share/nginx/html)Create the following two files within this folderNote: this is the same content from the lesson, except that the image has been removedindex.html
<html> <head> <title>AZ-300 Image: Example Page</title> </head> <body> <p>Welcome to the AZ-300 Test Page</p> </body> </html>
FROM nginx:alpine COPY . /usr/share/nginx/html
Azure Container Instances
Once a container instance is developed, it needs to be deployed container engine, in order for it to run. We refer to the running image as a container. Microsoft provides a really easy-to-use service for deploying and running containers: Azure Container Instances. In this lesson we will:Discuss when we should use Azure Container Instances Deploy a container from the image we created earlier Test that our container is working
Azure Kubernetes Service
Kubernetes itself is an open-source solution, which helps with the management of a multi-container environment. Using Azure Kubernetes Service (AKS), we can easily deploy a fully managed Kubernetes cluster. Throughout this lesson, we will:Discuss when to use AKS Create an AKS cluster Review AKS management options within the portal Consider Kubernetes cluster management options
Azure Web Apps
Azure Web Apps is a platform-as-a-service (PaaS) solution which simplifies the deployment of web apps to the cloud. Using Web Apps, there's no need to manage the underlying infrastructure. They also provide features like auto-scale, SSL, custom domains, and more. Through this lesson we'll work through the:Creation of an App Service Plan Deployment of a Web App using a container image
Background Tasks with WebJobs
Using WebJobs for Web Apps, we can create background tasks that run continuously, run on a schedule, or get manually triggered. In this lesson, we cover the key elements of WebJobs, including:How to configure WebJobs in the Azure Portal App Settings which we need to configure for Continous WebJobs The folder location of WebJobs within App_Data How to manage WebJobs and view log informationHelpful information and links:Note: WebJobs is not supported for App Service on Linux Using CRON schedules: https://docs.microsoft.com/en-us/azure/app-service/webjobs-create#cron-expressions
Note: The Azure Portal interface has changed since this lesson was recorded. All concepts taught in this lesson are still valid and remain unchanged. You will also see that the 'Application Settings' section has changed to 'Configuration' and includes settings across two tabs. Traditional monolithic applications have various different components performing different functions. Some times an application might be sitting idle, just waiting for something to happen. For example, if an application is responsible for encoding media files, it needs to await the upload of those files before it can get started. Azure Functions helps in these scenarios, by allowing us to create very focused code which serves a single purpose. Whilst the code is not operating, we don't have to pay for the underlying infrastructure (when using the Consumption Plan). In this lesson, we will:Create an Azure Function App Create a Function within the Function App Configure a trigger, and output binding Take a look at management operations
Logic Apps are often referred to as "the glue that binds services together." Through advanced workflows, Logic Apps can integrate a plethora of services together, in a range of different ways. For example, we might need to monitor storage for uploads. Once a file is uploaded, we may need to call a Function App, send an email, and create a transaction record in our database. In this lesson we will:Create a Logic App Walkthrough a basic workflow which deletes old blobs in Blob Storage Review some key management operations
Message-based Integration Architecture
Note: The Azure Portal interface has been updated and may appear different for you. All concepts taught in this lesson are still valid & remain unchanged. Event Grid is a managed service for the publishing of and subscribing to event information. Events are small pieces of information about something that has happened. Using Event Grid we can avoid the need for our backend application having to constantly poll/query something when monitoring for an event. Instead, our backend application can subscribe to an Event Grid topic, and wait to be sent that information once the event occurs. Through this lesson we will:Discuss the core components of Event Grid Consider an example of when to use Event Grid Create an Event Grid, Topic, and Subscription Use the Python SDK to publish information to the TopicHelpful Links:Event Grid SDK's: https://docs.microsoft.com/en-us/azure/event-grid/sdk-overview Code samples: https://azure.microsoft.com/en-us/resources/samples/?sort=0&service=event-grid Python specific code sample: https://azure.microsoft.com/en-us/resources/samples/event-grid-python-public-consume-events/
Notification Hubs is a fully managed, cross-platform solution for simplifying the use of push notification services (PNS). In this lesson we will:Discuss the use cases of Notification Hubs, Configure a Notification Hub, and Walk through the resource hierarchy and security.Important Notes:The Notification Hub is accessed via namespacename.servicebus.windows.net, Access to the hub is restricted with the access policies, You must register with each PNS you need to support.See an example for configuring iOS here: https://docs.microsoft.com/en-au/azure/notification-hubs/notification-hubs-ios-apple-push-notification-apns-get-started
An Event Hub is a massively scaling event ingestion and streaming service, fully managed by Microsoft. Typical use cases for Event Hubs would include live dashboards at banks that monitor data, process transactions, or detect anomalies. Event Hubs process millions of events per second, and enable a publish-subscribe model which supports partitioned consumer programming patterns. Through this lesson we will cover:Event Hub resource hierarchy Creation of an Event Hub within a namespace Important information about security Partitioned consumer model
Services Bus is one of Microsoft's many messaging and integration services. It's typically used when delivering very important messages between solutions. Service Bus provides a range of capabilities which ensure that messages are delivered without issue, are not lost, and are not duplicated. Throughout this lesson we will:Discuss the features and benefits of Service Bus Configure a Service Bus and walkthrough the resource hierarchy Configure both queues and topics Cover a range of important queue properties
If an on-premises solution needs public accessibility and connectivity, Azure Relay can help. Using the Azure Relay SDK's, it's possible to create either a Hybrid Connection or WCF Relay that provides public connectivity to on-premises services, without requiring major firewall changes. Through this lesson we will cover:Creation of a Azure Relay namespace Configuration of a Hybrid Connection Configuration of authentication Demonstration of sample code for sending/receiving information through the relayUseful links:Microsoft sample code and guidance: https://docs.microsoft.com/en-us/azure/service-bus-relay/relay-hybrid-connections-node-get-started Azure Relay SDK/API information: https://docs.microsoft.com/en-us/azure/service-bus-relay/relay-api-overview
Authentication and Data Security
Using a Managed Identity, we can securely authenticate Azure services against other Azure services.
This helps to avoid the need for storing and rotating credentials within code, which could potentially be exploited.
In this lesson we will:Associate a Managed Identity with a VM
Assign the identity permissions to a subscription
Retrieve a token from the Instance Metadata Service
Use that token to authenticate against the ARM APICommands used in this lesson include:Retrieve the token:
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -H Metadata:true
Retrieving resource group info:
curl -H "Authorization: Bearer <TOKEN>" https://management.azure.com/subscriptions/<SUB>/resourceGroups/<RG>?api-version=2016-09-01
Retrieve resource group info:
curl -H "Authorization: Bearer <TOKEN>" https://management.azure.com/subscriptions/<SUB>/resourceGroups/1?api-version=2016-09-01
Delete resource group:
curl -X DELETE https://management.azure.com/subscriptions/<SUB>/resourceGroups/<RG>?api-version=2018-05-01 -H "Authorization: Bearer <TOKEN>
Through research and development, Microsoft have been investing in securing Azure resources in a range of ways. Confidential Compute focuses on efforts toward encrypting data "in use". Generally when we talk about encryption, we focus on "at rest", and "in transit". Encryption in use is achieved through the use of Trusted Execution Environments (TEEs). In order to harness TEEs, we must use the Open Enclave SDK. Through this lesson we will:Discuss the purpose of Confidential Compute Consider the use of the Open Enclave SDK Navigate through the creation of Confidential Compute VMs Discuss various requirements and concepts
Where do applications and scripts store confidential information securely? The Azure Key Vault. The Key Vault is designed for securely storing secrets, keys, and certificates, all with programmatic access in mind. Using the Key Vault API we can create, delete, and manage entities within the Key Vault. Note: Managed Identities aren't required for interacting with the Key Vault service, however they help avoid the need for storing credentials to access Key Vault itself (which can defeat the purpose). In this lesson we will:Use Managed Service Identity for a Virtual Machine, to securely access a Key Vault Manage access controls for the Key Vault data plane Walkthrough a Python script, which will securely access and retrieve a secret from our Key VaultHelpful Links:Microsoft tutorial on accessing the Key Vault with the API and Python: https://docs.microsoft.com/en-us/azure/key-vault/tutorial-python-linux-virtual-machine Key Vault REST API Reference: https://docs.microsoft.com/en-us/rest/api/keyvault/
Azure Disk Encryption
Azure Disk Encryption (ADE) is a service which protects information on your Virtual Machine (VM) Operating System and Data disks.
Whereas Storage Service Encryption (SSE, which is enabled by default) protects your VM disks at rest in the Microsoft datacenters, ADE encrypts the information inside the disks itself.
Through this lesson, we will:Configure a Key Vault for ADE
Enable ADE on a virtual machine
Check the status of encryptionCommands used in this lesson:Enabling encryption:
az vm encryption enable -g vmencrypt -n vmencrypt --disk-encryption-keyvault /subscriptions/c95fdfe4-2593-410e-8901-3de366c89013/resourceGroups/keyvault01org/providers/Microsoft.KeyVault/vaults/laazkv01
Showing the VM encryption status:
az vm encryption show -g vmencrypt -n vmencryptHelpful Links:Enabling encryption: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-windows
Azure SQL Database
Azure SQL Database: Part 1
Azure SQL Database is Microsoft's fully managed, SQL Server-as-a-service solution. It includes a range of options with functionality like an on-premises SQL Server. Working with Azure SQL Database helps avoid the need for managing underlying infrastructure, and provides an easy way to get up and running with cloud-based relational databases. In Part 1 of this lesson, we will:Discuss the three main types of Azure SQL Database Configure a SQL Server, Elastic Pool, and Database Discuss authentication and encryption optionsPlease note: Microsoft also now consider Azure SQL VMs to be one of the Azure SQL deployment options. Below is a quick summary of the options:Azure SQL Database: PaaS solution which is fully managed and provides a managed SQL experience Azure SQL Managed Instances: PaaS solution which is fully managed, but provides a "near-100%" compatible Microsoft SQL Server Instances experience Azure SQL VM Images: Images which are pre-configured for Microsoft SQL Server - this provides the full Microsoft SQL Server experience and functionality Azure SQL Elastic Pools: an option to pool Azure SQL Servers together to provide better utilization of resources
Azure SQL Database: Part 2
In Part 2 of the Azure SQL Database lesson, we will walkthrough some basic code which uses SQL queries that view and modify our database. In this lesson we will:Use Node.JS to connect from a Mac computer to our database Use SQL query language to view and modify tables.Helpful links:Tedious Node.JS module for SQL interaction Microsoft Node.JS getting started guidePlease note: if you wish to follow along with the example used in this lesson, the following information may help:Use the getting started guide above to ensure you have Node.js and the ODBC driver installed Use the code sample provided from the getting started guide Ensure you have a SQL server and database configured Ensure you have allowed client access in the SQL firewall, from the computer you are using You can use any text editor you desire You can use any computer/OS that supports the Node.js and ODBC driver used in the getting started guide
Cosmos DB: Part 1
Cosmos DB is a multi-master, multi-mode, planet-scale managed database solution. With Cosmos DB you can develop applications that will have rapid and reliable access to data all over the world. Cosmos DB is a distributed database with transparent replication. In Part 1 of this lesson, we will:Create a Cosmos DB namespace Discuss various configuration items Use code to create a database, collection, and itemsIn Part 2, we will discuss the importance of partitioning and default consistency levels. Helpful Links:Cosmos DB SDK notes Python getting started
Cosmos DB: Part 2
In Part 2 of our Cosmos DB lessons, we discuss two important design considerations: partitioning, and consistency. Partitioning is focused on the way in which data is distributed across infrastructure for high availability and scalability. Consistency refers to how "up to date" our information will be in a globally distributed model. For example, if data is written in Australia and then read in America, will the America read transaction have to wait until synchronizing with Australia? Or is it OK for the read transaction to return old information, so long as it eventually becomes "current". In this lesson we will discuss:The importance of partitioning Tips for selecting a partition key The importance of consistency The five different consistency options availableHelpful links:Choosing a partition key Consistency levels
Congratulations!! You have completed over 70 lessons, learnt about more than 25 Azure services, and covered even more features and configurations. In this video we'll go over some tips for how to prepare for the AZ-300 exam, including hands-on labs, flash cards, and the practice exam. I'm very thankful to you for coming along on this learning journey with me. If you have any questions please feel welcome to reach out! I'll see you in the next course! Please reach out to me directly with any questions or concerns, or through our community. I'm always happy to help:Email: firstname.lastname@example.org LinkedIn: James Lee Twitter: @jamesdplee Slack: I'm always in the #azure and #az-300 channels (you can join our community slack here)
About the Exam
The AZ-300 exam is one of two exams required to become certified as a Microsoft Certified Azure Solutions Architect Expert. You can book the exam at the following link: https://www.microsoft.com/en-us/learning/exam-az-300.aspx In most locations, this exam can be taken either online (Online Proctored) or on-site at an exam testing center. If you have any questions or concerns about the course, or the AZ-300 exam, please feel welcome to reach out to myself or the Linux Academy community.
AZ-300: Microsoft Azure Architect Technologies - Practice Exam
Take this course and learn a new skill today.
Transform your learning with our all access plan.Start 7-Day Free Trial