I recently passed the Microsoft Azure Solutions Architect Expert certification (Az-300 and AZ-301). Being a network focused person these were not very easy exams to pass.
The focus is so much on knowing the different Azure terminologies and purpose of different settings, its hard for me to make sense of them when I am not a SQL Admin day in day out as an example.
To help me clarify my concepts around the various services, I created this quick cheatsheet or reference doc. It helped me and I hope it helps you as well.
DISCLAIMER: None of the following content is mine including pictures. Almost all of this has been taken from docs.microsoft.com or similar places. I have just put them together for easy reference.
If you are a network engineer and interested in cloud networking, I highly encourage getting Aviatrix Multi-Cloud Networking Certification. Currently being offered for free at: https://aviatrix.com/ace/
Follow me on LinkedIn: https://www.linkedin.com/in/cloudhammad/
Here you go and good luck with the exam:
Azure Data Factory is a service designed to allow developers to integrate disparate data sources. … It provides access to on-premises data in SQL Server and cloud data in Azure Storage (Blob and Tables) and Azure SQL Database.
It is Azure’s cloud Extract-Transform-and-Load (ETL) service for scale-out serverless data integration and data transformation. It offers a code-free UI for intuitive authoring and single-pane-of-glass monitoring and management. You can also lift and shift existing SSIS packages to Azure and run them with full compatibility in ADF.
SQL Server Integration Services (SSIS) Feature Pack for Azure is an extension that provides the components listed on this page for SSIS to connect to Azure services, transfer data between Azure and on-premises data sources, and process data stored in Azure.
Azure SQL (PaaS)
Relational DBaaS. Uses latest stable version of SQL. Can create new or migrate using MDMA (Microsoft Data Migration Assistant). Supports 1TB to 4TB DB.
Support modern cloud applications on an intelligent, managed database service, that includes serverless compute.
In Azure SQL Database, you can configure a database with a long-term backup retention policy (LTR) to automatically retain the database backups in separate Azure Blob storage containers for up to 10 years
Make sure you understand SQL Server disaster recovery capabilities. These capabilities include:
Failover clustering:
A failover cluster basically gives you the ability to have all the data for a SQL Server instance installed in something like a share that can be accessed from different servers. It will always have the same instance name, SQL Agent jobs, Linked Servers and Logins wherever you bring it up.
Always On availability groups
The key difference for an Availability Group on Azure Virtual Machines is that these virtual machines (VMs) require a load balancer. The load balancer holds the IP addresses for the availability group listener. Always On availability groups does not depend on any form of shared storage.
Database mirroring
SQL Server database mirroring is a disaster recovery and high availability technique that involves two SQL Server instances on the same or different machines. One SQL Server instance acts as a primary instance called the principal, while the other is a mirrored instance called the mirror.
Log shipping
Log shipping is the process of automating the backup of transaction log files on a primary (production) database server, and then restoring them onto a standby server.
Active geo-replication
Active geo-replication is an Azure SQL Database feature that allows you to create readable secondary databases of individual databases on a server in the same or different data center (region).
Auto-failover groups
A failover group is a named group of databases managed by a single server or within a managed instance that can fail over as a unit to another region in case all or some primary databases become unavailable due to an outage in the primary region.
Data Migration Assistant is only used to migrate SQL databases.
To replicate disks etc from on-prem to cloud, use Azure Site Recovery.
Azure Migrate assists with migration of on-premises virtual machines to Azure IaaS. The service assesses migration suitability and performance-based sizing, and it provides cost estimates for running your on-premises virtual machines in Azure. Azure Migrate is useful for lift-and-shift migrations of on-premises VM-based workloads to Azure IaaS VMs.
However, unlike Azure Database Migration Service (DMS), Azure Migrate isn’t a specialized database migration service offering for Azure PaaS relational database platforms such as Azure SQL Database or Azure SQL Managed Instance.
Azure DMS supports migration of SQL Server or Oracle on-premises databases to Azure SQL Database, Azure SQL Database Managed Instance, or SQL Server on Azure Virtual Machines.
Azure Site Recovery helps ensure business continuity by keeping business apps and workloads running during outages. Site Recovery replicates workloads running on physical and virtual machines (VMs) from a primary site to a secondary location. When an outage occurs at your primary site, you fail over to secondary location, and access apps from there. After the primary location is running again, you can fail back to it.
Azure SQL Managed Instance: Modernize your existing SQL Server applications at scale with an intelligent fully managed instance as a service, with almost 100% feature parity with the SQL Server database engine. Best for most migrations to the cloud. More compatible with legacy workloads.
It’s a product that is hybrid between running fully PaaS, e.g. Azure SQL Database or IaaS, i.e. SQL Server running on a VM. It has built-in support for cross-database queries and basically looks and feels just like your on-premises SQL Server. Max 2 TB — 8 TB depending on the number of vCore. Managed Instances will be a good fit for you if:
You don’t own your code and need it to work with SQL Server
Your application makes a lot of cross database calls
You need to be able to migrate with near zero downtime
You have large databases that are not a good fit for the Azure SQL Database model
Azure SQL Managed Instance does not support a DTU-based purchasing model. The virtual core (vCore) purchasing model used by Azure SQL Database and Azure SQL Managed Instance provides several benefits:
Higher compute, memory, I/O, and storage limits.
Control over the hardware generation to better match compute and memory requirements of the workload.
Pricing discounts for Azure Hybrid Benefit (AHB) and Reserved Instance (RI).
Greater transparency in the hardware details that power the compute; facilitates planning for migrations from on-premises deployments.
Auto-failover groups allow you to manage replication and failover of a group of databases on a server or all databases in a managed instance to another region.
SQL Server on Azure VMs:
Lift-and-shift your SQL Server workloads with ease and maintain 100% SQL Server compatibility and operating system-level access.
SQL-server-stretch-database: the purpose is to save on on-prem storage cost. “With Stretch Database, you can provide longer data retention times without breaking the bank. Rather than scaling expensive, on-premises storage, stretch data to the cloud — Azure storage can be up to 40 percent less expensive than adding more enterprise storage.”
Data Migration Assistant:
The Data Migration Assistant (DMA) helps you upgrade to a modern data platform by detecting compatibility issues that can impact database functionality in your new version of SQL Server or Azure SQL Database. DMA recommends performance and reliability improvements for your target environment and allows you to move your schema, data, and uncontained objects from your source server to your target server. DMA supports upgrade of on-premises instances of SQL Server 2005+ to SQL Server 2012 and later versions and to Azure SQL Database.
SQL Server Migration Assistant
Microsoft SQL Server Migration Assistant (SSMA) is a tool designed to automate database migration to SQL Server from Microsoft Access, DB2, MySQL, Oracle, and SAP ASE or to Azure SQL Data Warehouse (SSMA for Oracle only).
Azure Cosmos DB
Globally distributed DB Service. Support AlwaysON Services. Accessible via various APIs (SQL API, MongoDB API, Gremlin API, Key/Value API)
With the Azure Cosmos DB Data Migration tool, you can easily migrate data to Azure Cosmos DB. The Azure Cosmos DB Data Migration tool is an open source solution that imports data to Azure Cosmos DB from a variety of sources, including:
JSON files
MongoDB
SQL Server
CSV files
Azure Cosmos DB collections
Azure Data Catalog is a fully managed service, hosted in Microsoft Azure, that serves as a system of registration and discovery for enterprise data sources. With Data Catalog, any user, from analysts to data scientists and developers, can register, discover, understand, and consume data sources.
Azure API Management is a fully managed service that enables customers to publish, secure, transform, maintain, and monitor APIs. … API gateway for microservices implemented using serverless technologies such as Functions and Logic Apps.
SQL Database elastic pool is a shared resource model that enables higher resource utilization efficiency, with all the databases within an elastic pool sharing predefined resources within the same pool. The workload pattern is well defined and is highly cost-effective in multitenant scenarios.
Azure File Sync transforms Windows Server into a quick cache of your Azure file share. You can use any protocol that’s available on Windows Server to access your data locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world.
Azure Stack Edge is a Hardware-as-a-service solution. Microsoft ships you a cloud-managed device with a built-in Field Programmable Gate Array (FPGA) that enables accelerated AI-inferencing and has all the capabilities of a network storage gateway.
Azure Files offers SMB access to Azure file shares. By using SMB, you can mount an Azure file share directly on Windows, Linux, or macOS, either on-premises or in cloud VMs, without writing any code or attaching any special drivers to the file system.
Azure App Service enables you to build and host web apps, mobile back ends, and RESTful APIs in the programming language of your choice without managing infrastructure. It offers auto-scaling and high availability, supports both Windows and Linux, and enables automated deployments from GitHub, Azure DevOps, or any Git repo.
Microsoft Azure App Services are a platform as a service (PaaS) offering. Azure runs App Services on a fully managed set of virtual machines in either a dedicated or shared mode, based on your App Service Plan. These compute resources are analogous to the server farm in conventional web hosting. Each App Service plan defines things like region, number of VMs, instance size, pricing tier.
There are 4 types of App Services:
Web App — used for hosting websites and web applications (previously Azure Websites)
API App — used for hosting the RESTful APIs
Logic App — used for business process automation, system integration and sharing data across clouds
Mobile App — used for hosting mobile app back ends (previously delivered by Azure Mobile services)
The pricing tier of an App Service plan determines what App Service features you get and how much you pay for the plan. There are a few categories of pricing tiers:
Shared compute: Free and Shared, the two base tiers, runs an app on the same Azure VM as other App Service apps, including apps of other customers. These tiers allocate CPU quotas to each app that runs on the shared resources, and the resources cannot scale out.
Dedicated compute: The Basic, Standard, Premium, and PremiumV2 tiers run apps on dedicated Azure VMs. Only apps in the same App Service plan share the same compute resources. The higher the tier, the more VM instances are available to you for scale-out.
Isolated: This tier runs dedicated Azure VMs on dedicated Azure Virtual Networks. It provides network isolation on top of compute isolation to your apps. It provides the maximum scale-out capabilities.
Azure Logic Apps is a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations. Logic Apps simplifies how you design and build scalable solutions for app integration, data integration, system integration, enterprise application integration (EAI), and business-to-business (B2B) communication, whether in the cloud, on premises, or both.
Azure WebJobs is a feature of Azure App Service that enables you to run a program or script in the same instance as a web app, API app, or mobile app. There is no additional cost to use WebJobs. WebJobs is not yet supported for App Service on Linux. Azure WebJobs provide an easy way to run background processes. These can be configured to run on a schedule, on demand or continuously.
An App Service Environment (ASE) is a deployment of Azure App Service into a subnet in a customer’s Azure Virtual Network instance. An ASE consists of: Front ends: Where HTTP or HTTPS terminates in an App Service Environment. Workers: The resources that host your apps.
ASEs host applications from only one customer and do so in one of their VNets. Customers have fine-grained control over inbound and outbound application network traffic. Applications can establish high-speed secure connections over VPNs to on-premises corporate resources. Apps running on ASEs can have their access gated by upstream devices, such as web application firewalls (WAFs)
Use Azure Functions to run Legacy Windows Executable kind of applications that should only run when needed.
AZURE EVENT GRID
Azure Event Grid allows you to easily build applications with event-based architectures. First, select the Azure resource you would like to subscribe to, and then give the event handler or WebHook endpoint to send the event to. Event Grid has built-in support for events coming from Azure services, like storage blobs and resource groups. Event Grid also has support for your own events, using custom topics.
You can use filters to route specific events to different endpoints, multicast to multiple endpoints, and make sure your events are reliably delivered.
AZURE EVENT HUBS
Event Hubs are an intermediary for the publish-subscribe communication pattern. Unlike Event Grid, it is a service for processing huge amounts of events (millions of events per second) with low latency. We should consider the Event Hubs as the starting point in an event processing pipeline. Furthermore, we can use the Event Hubs as the event source of the Event Grid service.
Azure Event Hubs vs Service Bus: Event Hubs focuses more on event streaming whereas Service Bus is more focused on high-value enterprise messaging, which means the later is focused on messages rather than events.
Azure Notification Hubs provide an easy-to-use and scaled-out push engine that allows you to send notifications to any platform (iOS, Android, Windows, Kindle, Baidu, etc.) from any backend (cloud or on-premises).
Dependency Agent runs on Windows and Linux virtual machines and it integrates with the Log Analytics agent to collect discovered data about processes running on the virtual machine and external process dependencies. It stores this data in a Log Analytics workspace and visualizes the discovered interconnected components. Used for Dependency Map. (Requires Log Analytics agent)
Microsoft Monitoring Agent (MMA)
In order to monitor and manage virtual machines or physical computers in your local datacenter or other cloud environment with Azure Monitor, you need to deploy the Log Analytics Agent (also referred to as the Microsoft Monitoring Agent (MMA)) and configure it to report to one or more Log Analytics workspaces.
Azure Monitor logs provide monitoring capabilities across cloud and on-premises assets.
Log Analytics Agent can collect it upto 730 days only.
Azure Diagnostics Agent
Azure Diagnostics extension is an agent in Azure Monitor that collects monitoring data from the guest operating system of Azure compute resources including virtual machines.
It can collect security logs. Logs collected by Diagnostics Agent can be sent to ‘Azure Storage’ for long retention. The primary scenarios addressed by the diagnostics extension are:
Collect guest metrics into Azure Monitor Metrics.
Send guest logs and metrics to Azure storage for archiving.
Send guest logs and metrics to Azure event hubs to send outside of Azure.
Azure Diagnostics Agent (Extension) vs Log Analytics agent
The Log Analytics agent in Azure Monitor can also be used to collect monitoring data from the guest operating system of virtual machines. You may choose to use either or both depending on your requirements. The key differences to consider are:
Azure Diagnostics Extension can be used only with Azure virtual machines. The Log Analytics agent can be used with virtual machines in Azure, other clouds, and on-premises.
Azure Diagnostics extension sends data to Azure Storage, Azure Monitor Metrics (Windows only) and Event Hubs. The Log Analytics agent collects data to Azure Monitor Logs.
The Log Analytics agent is required for solutions, Azure Monitor for VMs, and other services such as Azure Security Center.
Azure Active Directory Connect Health
You can configure the Azure AD Connect Health service to send email notifications when alerts indicate that your identity infrastructure is not healthy. This occurs when an alert is generated, and when it is resolved.
What is Azure Data lake storage?
ADLS, short for Azure Data Lake Storage, is a fully-managed, elastic, scalable, and secure file system that supports HDFS semantics and works with the Hadoop ecosystem. … It is built for running large-scale analytics systems that require large computing capacity to process and analyze large amounts of data.
Wire data is consolidated network and performance data collected from Windows-connected and Linux-connected computers with the Log Analytics agent, including those monitored by Operations Manager in your environment. Network data is combined with your other log data to help you correlate data.
In addition to the Log Analytics agent, the Wire Data solution uses Microsoft Dependency Agents that you install on computers in your IT infrastructure. Dependency Agents monitor network data sent to and from your computers for network levels 2–3 in the OSI model, including the various protocols and ports used. Data is then sent to Azure Monitor using agents.
The on-premises data gateway acts as a bridge to provide quick and secure data transfer between on-premises data (data that isn’t in the cloud) and several Microsoft cloud services. These cloud services include Power BI, Power Apps, Power Automate, Azure Analysis Services, and Azure Logic Apps. By using a gateway, organizations can keep databases and other data sources on their on-premises networks, yet securely use that on-premises data in cloud services.
Azure Service Fabric supports Azure and “On-premises” containers: https://docs.microsoft.com/en-us/azure/service- fabric/service-fabric-overview
Azure Service Fabric is a distributed systems platform that makes it easy to package, deploy, and manage scalable and reliable microservices and containers. … Service Fabric represents the next-generation platform for building and managing these enterprise-class, tier-1, cloud-scale applications running in containers.
When comparing AKS vs. Service Fabric, the biggest difference between the two is that AKS only works with Docker-first applications using Kubernetes. Service Fabric is geared toward microservices and supports a number of different runtime strategies.
Azure Storage Account — RestAPI:
The REST APIs for the Microsoft Azure storage services offer programmatic access to the Blob, Queue, Table, and File services in Azure or in the development environment via the storage emulator. All storage services are accessible via REST APIs.
Files stored in Azure File service shares are accessible via the SMB protocol, and also via REST APIs, at the endpoint http|https://<account>.file.core.windows.net. HTTPS is recommended.
General purpose storage accounts provide storage for blobs, files, tables, and queues in a unified account. At the account level you can choose Hot or Cool performance/access tier. In this case, Access Tier (Archive) setting is not available at the storage account OR container level. Access tier can only be set for individual objects inside a Blob Container.
Blob storage accounts are specialized for storing blob data and support choosing an access tier, which allows you to specify how frequently data in the account is accessed. Choose a performance tier (Hot/Cool). Create a blob container, copy the files to the blob container, and set each file to the Archive access tier.
Azure Data Box Edge is a physical network appliance, shipped by Microsoft, that sends data in and out of Azure Data Box Edge is additionally equipped with AI-enabled edge computing capabilities that help you analyze, process, and transform the on-premises data before uploading it to the cloud.
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account
A Recovery Services vault is a storage entity in Azure that houses data. … You can use Recovery Services vaults to hold backup data for various Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases.
Immutable Blob storage is useful in any scenario to protect critical data against modification or deletion. Immutable storage supports the following features:
Time-based retention policy support: Users can set policies to store data for a specified interval. When a time-based retention policy is set, blobs can be created and read, but not modified or deleted. After the retention period has expired, blobs can be deleted but not overwritten.
Legal hold policy support: If the retention interval is not known, users can set legal holds to store immutable data until the legal hold is cleared. When a legal hold policy is set, blobs can be created and read, but not modified or deleted. Each legal hold is associated with a user-defined alphanumeric tag (such as a case ID, event name, etc.) that is used as an identifier string.
A Shared Access Signature (SAS) provides secure delegated access to resources in your storage account without compromising the security of your data. With a SAS, you have granular control over how a client can access your data. You can control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters.
Conditional Access Policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it. If you want access you must be coming from specific location.
Use (Storage Account) Access Keys to authenticate your applications when making requests to this Azure storage account. Store your access keys securely — for example, using Azure Key Vault — and don’t share them. We recommend regenerating your access keys regularly. You are provided two access keys so that you can maintain connections using one key while regenerating the other
Azure Active Directory (Azure AD) access reviews (available with Premium P2 licensing) enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User’s access can be reviewed on a regular basis to make sure only the right people have continued access.
Premium P2 licensing gives following additional benefits
Access Review
Learn more about what Access Review can do. Basically it allows generating reports of usage and who has what access. People who have extra privileges that should be revoked etc.
Just In Time Access
When just-in-time (Security Center’s standard pricing tier) is enabled, Security Center uses network security group (NSG) and Azure Firewall rules, which restrict access to management ports so they cannot be targeted by attackers.
When just-in-time is enabled, Security Center locks down inbound traffic to your Azure VMs by creating an NSG rule. You select the ports on the VM to which inbound traffic will be locked down. These ports are controlled by the just-in-time solution.
When a user requests access to a VM, Security Center checks that the user has Role-Based Access Control (RBAC) permissions for that VM. If the request is approved, Security Center automatically configures the Network Security Groups (NSGs) and Azure Firewall to allow inbound traffic to the selected ports and requested source IP addresses or ranges, for the amount of time that was specified. After the time has expired, Security Center restores the NSGs to their previous states. Those connections that are already established are not being interrupted, however.
Managed identities for Azure resources is a feature of Azure Active Directory. … The feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. There are two types of managed identities:
System-assigned managed identity (For stand-alone Azure resources, you can enable system-assigned managed identities)
User-assigned managed identity
Azure Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost effectiveness, performance, high availability, and security of your Azure resources.
Application Insights, a feature of Azure Monitor, is an extensible Application Performance Management (APM) service for developers and DevOps professionals. Use it to monitor your live applications. It will automatically detect performance anomalies, and includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It’s designed to help you continuously improve performance and usability. It can help with things like tracking requests and exceptions to a specific line of code within the application; analyzing how many users return to the app and how often a particular dropdown value has been selected.
Azure SQL Analytics is an advanced cloud monitoring solution for monitoring performance of all of your Azure SQL databases at scale and across multiple subscriptions in a single view. It collects and visualizes key performance metrics with built-in intelligence for performance troubleshooting.
Azure Hybrid Benefit allows customers with Windows Server licenses with Software Assurance (SA) to use those licenses in Azure to license a base virtual machine for Windows Server.
Azure DevTest Labs makes it easy to provide Virtual Machine Images that you can reuse within your team for development and testing. It also enables you to manage costs by setting things like: Maximum number of VMs per lab and per user. Allowed VM sizes.
Comments