AWS Solutions Architect Associate Certification preparation – short notes-VI

Our Sixth and last post in our AWS Solutions Architect Associate Certification preparation series. Hope you have gone thru the previous posts and you are happy with the content we shared.
.
[ Disclaimer : This is not a complete training material for the certification. This is just random (short) notes which we captured from course curricula, which will help the readers for their final revision/rewind before appearing for the exam. We do not offer any guarantee in passing the exam with this content ]
.
VPC (Continued)
VPC LAB steps {[Create VPC – Creates Route table, ACL and SG-] [Create additional Subnets – assign public IP to be set Yes for the public subnet] [create internet Gateway and attach to VPC] [create the additional route – for allowing public access (We should never allow public for the main route)] [assign the subnets for Routes – allow public one for the new route] [launch instances with the new VPC and the diff subnets] [create an Security group for private instance to allow access to it from public instance] }NAT instances and NAT gateways are a way of NATing and making the private subnet system communicate with internet. NAT instances are single EC2 instances without any redundancy. NAT gateways are HA-enabled within AZ. It can not span AZs, better to have separate Gateways in each AZ.
NAT instances can send communications without being a source or destination. For this to work, we have to disable source/destination checks for the instance.

Read more

——————- advertisements ——————-

———————————————————

NACL (Network Access Control Lists) : default NACL is created when VPC is created with ALL Allow rules. Any subnet being created will be added by default to the default NACL. We can created additional NACLs and can associate subnets. One subnet can be part of a single NACL. If an Allow rule (rule No. 200) is created and there’s a deny rule (rule No.100), Deny rule takes precedence based on the rule No (chronological order). (e.g; rule 100 to allow all access via 80. rule 200 to deny all access via port 80. Allow will be in effect).
NACL will be checked first before the same rule in Security group.
At least 2 public subnets are required for creating the LoadBalancers.
Network flow logs are the way of capturing the TCP flow using the CloudWatch. It can be at VPC,Subnet or Network interface level.
Can not enable flow logs for a peered VPC with a VPC in another AWS account. Flow log config can’t be modified (e.g; modifying the IAM role etc..)
Bastian host allows for administration of instance in private network. NAT Gateway/instance allows internet access for the private instance but administration is not possible.
AWS direct connect : Direct connect (DX) centers are available everywhere and we will have to have a customer/partner Cage there with routers. These will connect (AWS backbone network) to the AWS Cage routers. Cust/partner router connects to the customer premise (office/DC) and AWS routers connect to our AWS services (instances/S3/VPC etc…).
——————- advertisements ——————-

———————————————————

VPC endpoints allows to connect the VPC to AWS services (without going out of AWS network). VPC Gateway endpoint (Supported with S3 and DynamoDB) and VPC instance endpoints.
High Availability
Application loadbalancers : Application aware, operates at layer 7 of OSI. HTTP and HTTPs requests.
Network loadbalancers : TCP traffic balancing, for extreme performance.
Classic loadbalancers : Can do both. Legacy one. May not be application aware. As it is not app aware, it may give error 504 for gateway time out. It may not be aware if it is a Database issue or webserver issue.
X-forwarded-for : This header will have the customer’s public IP as the Load-balancer forwards the request to the actual application.
That’s it..! We know still many topics are not covered, but we have made a effort to help your certification preparation.
Your feedbacks are very much valuable and it helps us improve our contents. Thank You..!

AWS Solutions Architect Associate Certification preparation – short notes-V

Our fifth post on the AWS Solutions Architect Associate certification preparation topic. Hope you have enjoyed the previous posts in this series where we discussed many important topics including EC2, S3, Databases etc…
.
[ Disclaimer : This is not a complete training material for the certification. This is just random (short) notes which we captured from course curricula, which will help the readers for their final revision/rewind before appearing for the exam. We do not offer any guarantee in passing the exam with this content ]
.
Now, let’s continue
Route53
Note : ELBs do not have a pre-defined IP address, you route to them using route53.
1. Simple routing policy – Can have multiple entries against one name and the policy picks the IPs randomly during the request.

Read more

2. Weighted Routing policy – We can set weightage for each record (individual host records to be created) and the IO request will be given priority in that order. [We can create healthchecks for the instances and routing policy omits the records having healthcheck issues]
——————- advertisements ——————-

———————————————————

3. Latency based policy – Route53 decides the DNS records/instances based on the least network latency.
4. Failover routing policy – We can define active and passive records. Healthcheck monitors the active
5. Geolocation routing policy – Based on the location of users queries DNS, the DNS record/EC2 instance will be used. Not same as latency
6. Geoproximity routing policy – Complicated one. Allows the access based on the location of the users and resources.Bias(keyword)
7. Multivalue routing policy – similar to simple routing policy, but allows healthcheck for multiple instances.

VPC (Virtual Private Cloud)
Virtual Private Cloud allows the segregation of the network allowing you to create your own logically isolated AWS environment. Complete control of the network settings (including ip address,subnet,route tables,internet gateways etc…). Can seperate hosts to private (without internet) and public (with internet) segments, adding up security. can create a VPN connection with the VPC and use the AWS as an office/datacenter extension.
* Launch instances into a chosen subnet
* Assigning custom IP address ranges in each subnet
* Configuring route tables between subnets
——————- advertisements ——————-

———————————————————

* Create internet gateway and attach to our VPC
* Better security control over AWS resources
* instance security groups
* Subnet Network ACLs.

Default VPC allows easy instance deployments. All subnets in def VPC will have route to the internet. Each EC2 instance will have both private and public IPs.
VPC Peering : allows direct communication with hosts in another VPC. Peering can be done with VPCs in another AWS account and another region also. No Transitive peering (direct peering between VPCs is required)
1 AZ can have one or more Subnets, but 1 subnet can’t span across AZs.
Only 1 Internet Gateway per VPC.
We are not done with VPC yet, we will add additional notes in the next post in this series. Hope these contents are helping you in your preparation.
Feel free to share your feedback/suggestions in the comments section.

AWS Solutions Architect Associate Certification preparation – short notes-IV

Into our fourth post in the AWS Solutions Architect Associate certification preparation series.

In our previous posts, we discussed the common topics including S3, EC2 etc… In this post, we will cover the databases section.

.
[ Disclaimer : This is not a complete training material for the certification. This is just random (short) notes which we captured from course curricula, which will help the readers for their final revision/rewind before appearing for the exam. We do not offer any guarantee in passing the exam with this content ]
.

Relational Databases

6 DBs available in AWS are – SQL server, Oracle, MySQL, PostgreSQL, Amazon Aurora, MariaDB

Multi-AZ for Disaster recovery and Read Replicas for Performance.
DynamoDB is amazon’s No SQL solution.
Redshift is the AMazon’s Datawarehousing solution (for Online Analytic processing -OLAP).
Elasticache – improves performance by in-memory cache in cloud. SUpports 2 open-source in-memory caching engines. – Memcached and redis

Read more

RDS runs on VMs but we cannot access those. AWS takes care of managing the VMs. RDS is NOT serverless (except Aurora)

——————- advertisements ——————-

———————————————————
RDS Backups : Automated daily backups and snapshots. Retention period 1-35 days.
Automated backups are enabled by default. Data will be saved in S3, and you get space for free.
During backup window, IO will be suspended and there may be performance issue.

DB snapshots are manual.
Restored DB (from manual snapshot or Automated backup), will be a new RDS instance with new endpoint (URL)

[email protected] encryption is supported (with AWS KMS) for SQL server, Oracle, MySQL, PostgreSQL, Amazon Aurora, MariaDB. Stored data, backups and snapshots are all encrypted.
Multi-AZ : For disaster recovery. AWS will automatically switch to the secondary copy in case of any maintenance or disaster. supported for SQL server, Oracle, MySQL, PostgreSQL, and MariaDB. Amazon Aurora by it’s architecture supports multi-AZ failure.
Read-replica : are for performance improvment for read-intensive database instances. Read can be re-directed to any of the async copy of the actual instance. writes can be still done to the primary DB. Supported by MySQL, PostgreSQL, Amazon Aurora, MariaDB
Can have upto 5 copies/replicas of the primary. Can have read-replicas of read-replicas (performance may reduce).Automatic backups must be turned on.
We can have read-replicas that can have multi-AZ. Can create read-replicas of multi-az source DB.

——————- advertisements ——————-

———————————————————
DynamoDB : AWS’s No SQL DB. Uses SSD and is spread across 3 separate geo areas.
Eventual consistant reads(default)- can ensure data consistency after 1-2 secs of write.
Strong consistant reads – Needed if data will be read by application within a second of write.
Redshift is used for Business intelligence. OLAP solution for Datawarehousing. available in 1 AZ at present(can’t span across multi)
Backup is by default with 1 day retention. Can be modified to max of 35days.
Always 3copies (1xOriginal+1xReplica+1xBackupinS3) kept.
For disaster recovery,Redshift can automatically replicate the snapshots to a S3bucket in different region.
Redshift configuration:
Single node with 160 GB or Multi-node (which will have a leader node – which receives the queries and manages client connections – and upto 128 compute nodes – which processes the queries and computations). Users will be charged for the hours the compute nodes are operating not the leader nodes.
[email protected] for Redshift using AES-256 encryption. Redshift takes care of KMS. We can manage Keys using HardwareSecurityModule(HSM) or AWS KMS.
Uses advanced level of compression, which identifies similar data and does compression.

——————- advertisements ——————-

———————————————————
Amazon Aurora
MySQL compatible relational database engine, 5x better performance than MySQL.
start with 10G, increments by 10G upto 64TB. Compute resource can scale upto 32vCPUs and 244G memory.
6copies of data (2x copies in 3 AZs). Can loss 2 copies of data without affecting the write-ability. Can loss 3 copies without affecting the read-ability. Aurora read-replicas are better and can have upto 15 copies (5 for MySQL read-replicas). Automated failover (to read-replica) is supported.

Elasticache – improves performance by in-memory cache in cloud. SUpports 2 open-source in-memory caching engines. – Memcached (simple solution) and redis (Supports Multi-AZ and supports backups)

Another short post is coming to an end. Hope it was helpful and you enjoyed reading it. Please share your feedbacks as comments.

AWS Solutions Architect Associate Certification preparation – short notes-III

Third post in our AWS Solutions Architect Associate certification preparation series. Hope you have enjoyed the first post and the second in the series. We have a few more topics to cover in this series and some of them are in this post.

[ Disclaimer : This is not a complete training material for the certification. This is just random (short) notes which we captured from course curricula, which will help the readers for their final revision/rewind before appearing for the exam. We do not offer any guarantee in passing the exam with this content ]

Let’s continue…

EBS (Elastic Block Storage)
types :
General Purpose (SSD) (GP2) – General purpose, cost-effective storage. 100 – 16000 IOPS. Mixed workload
Provisioned IOPS (SSD) (IO1) – For IO intensive workloads.
Throughput Optimized HDD (ST1) – low cost magnetic storage, performance in terms of throughput.
Cold HDD (SC1) – For large, sequential cold-data workloads.
Magnetic – Uses magnetic storage, for infrequently accessed data.

Read more

migrating a EC2 instance from one region to other ::> Create a snapshot of the root volume > Create an AMI from the snap > Create an instance from AMI on another region.
snapshots are existing in S3.

——————- advertisements ——————-

———————————————————

AMI (Amazon Machine Images) can also be copied to another region for VM deployments.

When you delete/terminate an instance, the additional drives won’t get deleted by default.
For AMIs backed by EBS volumes, the OS root device is created on an EBS snapshot of an EBS volume.For AMIs backed by instance store, the instance root device is created from a template stored in AWS S3.
Instance store root volumes will not be listed in EC2>EBS>Volumes as this is not an EBS volume. we can create the instance from an instance store, but only to limited hardware (instance type) selection. We can not stop an instance which is running on instance store. Only reboot or terminate options are available. If there’s an issue in the underlying hardware, data will be lost. It is also called Ephemeral (short time).
Root volume (of the instance) can be encrypted by ::> create a snapshot of the root volume> copy it by encrypting it> create an AMI from the encrypted copy> launch an instance from it.
Cloudwatch and Cloudtrail :
Cloudwatch (Gym trainer to remember) is for performance monitoring – Compute (EC2,Route53,ELoadbalancers..) ,Storage (EBS Volumes, Storage gateway) and CDN (CloudFront)
Cloudtrail (CCTV to remember) is for checking who is calling for who (kind of access logging in my understanding)
Cloudwatch monitors 5minute intervel by default, can be reduced to 1minute also.
2 ways of accessing the AWSCLI, 1 is giving the user the permissions required for CLI and using the credentials in the CLI. Second one is by creating the IAM role for CLI access and adding that to the EC2 instance.

——————- advertisements ——————-

———————————————————

Sample commands :
aws s3 ls   (to list the S3 buckets)
aws s3 mb s3://bforumnewbucket  (to create a bucket with the given name. mb=make bucket)
credentials are saved in plain text in ~/.aws directory.
curl http://169.254.169.254/latest/meta-data – Captures any meta data about the instance
curl http://169.254.169.254/latest/user-data – captures bootstrap data
EFS (Elastic File System)
supports NFSv4. Pay as you use. Petabyte scale. Thousands of concurrent NFS connections. Read after write consistency.
clustered placement group :- for High performance computing, requiring high thruput or low latency. Within a single AZ.
Spread placement group :- for applications with small number of critical instances, that should be kept seperate. Can span across AZs.
Placement groups names must be unique.
That is another short post, many more topics to come. Hope you are enjoying this series. Your feedbacks will help in improving our contents, please feel free to add in the comments section.

AWS Solutions Architect Associate Certification preparation – short notes-II

Hope you have gone thru the first post in our series on AWS Solutions Architect Associate certification preparation. This is a continuation of a few topics we covered in the first post. In this series of posts, we will covering the topics required for you to prepare for the AWS Solutions Architect Associate examination. Thus we are trying to help you in your certification journey.

[ Disclaimer : This is not a complete training material for the certification. This is just random (short) notes which we captured from course curricula, which will help the readers for their final revision/rewind before appearing for the exam. We do not offer any guarantee in passing the exam with this content ]

Let’s continue with our contents.

S3 (continued)

Data @ Rest Encryption ([email protected]) can be achieved via
SSE-S3 – Server side encr with S3 managing the Keys
SSE-KMS – Customer can define the KMS (Key Management System) available via AWS
SSE-C – Using customer’s own KMS system
client side encryption – encrypt the data before putting in S3. Customer’s responsibility.
Cross Region Replication : Existing files (before enabling CRR) are not replicated, deletion and Delete Markers are not replicated

Read more

Edge location –
Origin – Origin of the file, can be S3, EC2, Elastic Loadbalancer or Route53
distribution – Name given to the CDN (collection of Edgelocations)
Web distribution – for websites
RTMP – for media streaming (Real Time Messaging protocol- Adobe’s Media sharing protocol)
——————- advertisements ——————-

———————————————————

You can invalidate the cache content from CDN, but will be charged

Snowball – 50 and 80 TB variants. 1/5 cost compared to network transfer.256-bit encr. Can import/Export to/from S3.
Snowball Edge – 100TB -with compute and storage.
Snowmobile – Exabyte-scale, upto 100PB. For effective DC migration.
EC2
On Demand plan – allows for payment as you use (hours/minutes). Good for testing and dev.
Good for short term testing or small workloads, application testing. no upfront payment
Reserved plan – for 1 or 3 yr contract and is cheaper
Standard – upto 75% discount on pricing and instances type can’t be changed
Convertible – Flexibility of instance types
Scheduled – for scheduled scalability.
Spot – As in share market if the rate matches, you may get it.
If a spot instance is terminated by AWS, the partial hour will not be charged. But will be charged if the termination was initiated by User.
Dedicated – Physical server. Compliance or license use cases
Boot drive can’t be encrypted by EC2, only additional drives can be encrypted. We have to use third party tools in OS (like bitlocker) for boot drive encryption.
——————- advertisements ——————-

———————————————————

Security groups :
When we create an inbound rule, outbound rule is created automatically. Security groups are stateful, NACL (Network ACL) are stateless.
Can allow traffic for an IP or port, but can’t deny. There’s no deny option for Sec Groups. It is possible with NACL.
Everything is blocked by default in SG. You have to go and allow what you wanted.
Let’s continue the EC2 discussions and more topics in our next post. Hope you are enjoying reading the series. You are always welcome to post your comments/suggestions/feedback in the comments section below.

AWS Solutions Architect Associate Certification preparation – short notes-I

Cloud computing certifications are having very high market demand. And many of you are preparing or planning for cloud computing certifications. We recently had a series on the Azure fundamentals (AZ900) certification preparation.

Now it is time for an AWS certification series.

Here we are starting a series on the AWS Solutions Architect Associate certification preparation. We recommend you to attend a complete course on this topic or to refer the authentic documentation for your preparation. These posts are just for your revision, or to help you with some short notes on the course content. Read more

[ Disclaimer : This is not a complete training material for the certification. This is just random (short) notes which we captured from course curricula, which will help the readers for their final revision/rewind before appearing for the exam. We do not offer any guarantee in passing the exam with this content ]

Let’s get into the contents :

——————- advertisements ——————-

———————————————————

AWS Region, Availability Zones and Edge locations
Region : is a geographical area containing 2 or more Availability zones. Example Sydney, Singapore, Northern Virginia regions.
AZ : Availability zone can be considered as a datacenter. Or it can be more than one DC also. In case of any local disasters like flood or earthquake, we may have data unavailability/data loss scenario for any data in the AZ. But AWS makes sure that the data is having multiple copies in different AZs to ensure data availability.
Edge locations : are the local endpoints for the customers for accessing the data. If a customer is at far distance from the AZ where the data is stored, there could be a latency for the customer to access his data. To avoid this delay, data are being cached to the edge locations. This is being achieved by CloudFront, AWS’s Content Delivery Network.
IAM (Identity Access Management)
Allows/Controls access to the AWS via user management. Shared access to the resource and centralised access control.
Makes Identity Federation (allowing login via different accounts including Facebook, google etc…) possible
Users : Users which access the AWS console
Groups : A set of users as in usual terms of access like AD (Groups for Finance, HR departments in an organization for example)
Policies : Are the defined policies of access, defining which account can do what task. These are saved in JSON (JavaScript Object Notation) format.
Roles : An identity which has a set of permission rules, can be assigned to different individuals/resources.
IAM is universal, any identity created in AWS is global (not specific to any region).
A root user is the user with which an AWS account is created. It has complete admin access. New users can be created and assigned permissions (A new user will not have any permissions when created.
An access key ID and secret access keys are provided when a new user is created.These can be used for accessing the AWS resources via CLI or APIs. These cannot be used for the AWS console access.

——————- advertisements ——————-

———————————————————

S3 (Simple Storage Service)
S3 saves files in bucket. A container or folder, must have a unique universal name.
Successful file upload – http 200 code
Files saved as Key (name), Value (actual file) and version
Sub-resources – Access control list and torrent
11×9’s guarantee for durability, and 99.99% guaranteed availability by Amazon. Saved at different sites and S3 is designed for the loss of 2 sites at a time.
S3-IA (infrequently Accessed) – lower fee storage for infrequently accessed data
S3 One ZOne IA- cheaper version of S3, data at one site. (Reduced Redundancy storage – RRS)
S3 Intelligent Tiering – Auto-tiering
Multi factor authentication can be enabled for Delete operations for protecting the data.
S3 Glacier and S3 Glacier Deep Archive – For archival. Deep archive is the cheapest storage but retrieval time is 12 hours. S3 is being billed for the storage capacity, no of requests for access, Tiers, transfer, cross region replication.

——————- advertisements ——————-

———————————————————

Bucket policies – Works at the bucket level
ACL – Works at the individual obj level
Bucket access logging is possible and can be saved to a different bucket also.
We will discuss further on S3 and many other topics in the next post in this series. Hope this section was helpful for you.
Please share your suggestions/feedback in the comments section.

Azure Fundamentals (AZ900) certification preparation – short notes-V

We are into our 5th post in the Azure fundamentals certification preparation notes series. If you haven’t already gone thru the previous posts, please have a look before starting here.

You can see this video to know how can you register for the Azure training and to get a certificaiton voucher without any payment.

[ Disclaimer : This is not a complete training material for the certification. This is just random (short) notes which we captured from course curricula, which will help the readers for their final revision/rewind before appearing for the exam. We do not offer any guarantee in passing the exam with this content ]

Few more things from the AZ900 curricula in continuation to the previous posts,

Monitoring and reporting
Azure Monitor : helps in monitoring how your applications are performing. This also helps in increasing the availability by identifying any failures proactively.
Data sources include Application monitoring data, guest-os monitoring data, Azure resource monitoring data, Azure subscription monitoring data, Azure tenant monitoring data.

Read more

-application insights : service for monitoring applications (availability, performance and usage)
-Azure Monitor for containers : service for monitoring the container workloads.
-Azure Monitor for VMs : A service which monitors and analyses the performance and health.
——————- advertisements ——————-

———————————————————

Azure Service Health :
– Azure status : About (service) outages in Azure.
– Azure service health : Service status and regions in Azure.
– Azure resource health : Health of the individual resources (VMs etc…)

Azure advisor :
– A dashboard giving recommendations on the subscriptions in 5 categories (HA,Security,Performance,Cost,Operational Excellence)
Account and Pricing
Azure SLA : SLA for support (uptime and Connectivity), mentioned in Percentage(%)
Service Credits : Penalty (maybe reduction in Bill) given to customers if Azure miss SLAs.
Composite SLA : A combined SLA for the service/product considering the underlying component SLAs.

——————- advertisements ——————-

———————————————————

TCO calculator : An online tool to estimate the savings in migrating to Azure. Gives detailed report.
Azure marketplace : Lists third-party apps and services available for purchase for Azure
Azure Support plans : 2:59:24 (video) or 1111 screenshot
Azure licensing : Using the existing windows/SQL purchased for on-prem in Azure. Azure HuB(Hybrid Use Benefit). BYoL – Bring your own license.
Azure subscriptions : Just your account.
– Free subscription : Free $200 credit for 30 days. Some things are free for 12 months
– Pay as you go : Charged at month-end based on usage.
– Enterprise
– Student : Free $100 credit for 12 months

Azure Pricing calculator : A tool for the pricing calculation.
Azure cost management : Gives detailed view on the spending.
That’s it from the series here. For the complete series click here .
Hope this series helped you in your certification journey. Please feel free to share your feedback/suggestions in the comments section.

Azure Fundamentals (AZ900) certification preparation – short notes-IV

Thanks for reading our first, second and third posts in this series. Let’s get into the 4th post of the series Azure Fundamentals (AZ900) certification preparation short notes.

The intention of this series is to help your preparation for the AZ900 certification, or for your revision before taking the exam.

[ Disclaimer : This is not a complete training material for the certification. This is just random (short) notes which we captured from course curricula, which will help the readers for their final revision/rewind before appearing for the exam. We do not offer any guarantee in passing the exam with this content ]

So, let’s get into the contents…

IoT Services
IoT Central – Connects your IoT devices to cloud
IoT Hub – Secure communication between the IoT apps and their managed devices
IoT Edge – allows processing and analysis of IoT devices data. A service built on Azure IoT Hub.
Windows 10 IoT Core Services – A cloud services subscription

Read more

——————- advertisements ——————-

———————————————————

Bigdata services

Azure Synapse analytics (SQL datawarehouse -formerly) : intended to run SQL queries against large DBs.
HDInsight : Run Open-sourced analytics software such as Hadoop,Kafka and Spark
Azure databricks : An apache Spark-based for Azure. Third-part databricks services within Azure.
DataLake analytics : Large storage for Raw data for bigdata. Analytics and reporting

AI/ML services
Azure Meachine learning service : Service for simplifying and running AI/ML related workflows in Azure. Python,R or Deep Learning workloads such as TensorFlow
Azure machine learning studio : Older service for AI/ML workloads
——————- advertisements ——————-

———————————————————

AI Services
Personalizer : personlized experience for every user.
Translator : real-time multi-language translator
Anomaly detector : detect anomalies in data and troubleshoot
Azure bot service : serverless bot service on-demand
Form recognizer : auto extraction of key/value, text, table etc.. from data
Computer vision : Content analysis from images
Language understanding : natural language understanding for apps,chat bots etc…
QnA maker : QnA bot. helps to create a question-answer structure over the data
Text analysis : helps in sentiment analysis. identifying names, phrases etc…
Content moderator : helps to detect potentially offensive content
Face : helps to identify the people and the emotions from images etc…
Ink recognizer : digital ink recognizer, such as handwriting, shapes etc…

Serverless services
Functions : serverless compute. No need to provision/manage any servers.
Azure blob storage : blob storage service
Logic apps : allows you to build serverless workflows composed of Azure functions, building a state machine for serverless compute
Event grid : Pub/sub type. Allowing to react to events and trigger other services like Functions

Visual studio code : code editor
——————- advertisements ——————-

———————————————————

Regulation and compliance
Azure trust center : Online portal where we can check the security and regulatory compliance info (example GDPR – General Data protection Regulation)
Azure security compliance programs (2:16:30) :
– CJIS (Criminal Justice Information Services) – has to be compliant to access FBI’s CJIS Database
– Cloud Security Alliance (Star Certification) – Third party
– GDPR – European law, against anyone (org) collects and analyzes data tied to EU residents
– EU Model clause – transfers of data outside of EU.
– HIPPA (Health insurance portability and accountability act) – patient protected health info.
– ISO 27018 – processing of personal info by cloud service providers

Azure Active Directory
AD comes in four flavors
free – MFA, SSO, and basic security settings
Office 365 Apps – company branding, two-sync between on-prem and cloud
Premium 1 – Hybrid architecture,
Premium 2 – identity protection and identity governance.

Azure security Center : Infrastructure security management system – A UI with lots of options.
Azure key vault : Stores and manages tokens/keys etc…
– Secret management – keys,tokens,certificates etc…
– Key management – Encryption key creation and management
– Certificate management – manages SSL certificates
– HSM – Keys and secrets managed by FIPS compliant Hardware-Security-Module (FIPS 140-2 compliance for multi-tenant and FIPS 140-3 for single tenant)

——————- advertisements ——————-

———————————————————

Protection
Azure DDoS Protection : basic protection is always on and is free. Advanced version is paid and has more features including reporting, Expert support, SLAs.
Azure firewall : Network protection. High availability built-in no load balancers required.
Azure information protection : in our outlook. Protects sensitive data by encryption,restricted access etc…
RBAC (role-based ac)
– Security principal : identities requesting access to an azure resource.
— User, group, Service principal (a security identity used to access azure resources),Managed identity (an identity in Azure AD managed by Azure)- Scope : Defines a scope of a role. Controls at Management,subscription or resource group level.
– Role definition : Set of roles. R/W/Delete etc..

Lock Resources : Locking to avoid unexpected deletion etc… CanNotDelete(Delete), Read-Only are types of locks.
Management groups : Adding subscriptions (accounts) to a management group will have all the permissions on it. Accounts under “Finance” group will have permissions required for that team/group/dept (example)
That’s it for part-4. You can find the next section in this series here. For the complete series click here .

Azure Fundamentals (AZ900) certification preparation – short notes-III

In continuation to our previous 2 posts, here is the third post in the Azure fundamentals certification preparation series. As mentioned in our first post, we recommend you to read the complete documentation from the Microsoft Docs page.

We recommend you to go thru the first post and the second post before starting with this post.

[ Disclaimer : This is not a complete training material for the certification. This is just random (short) notes which we captured from course curricula, which will help the readers for their final revision/rewind before appearing for the exam. We do not offer any guarantee in passing the exam with this content ]

So, here’s are the part-3 contents.

App integration services
Azure notifications hub : Pub/send – send push notifications to any platform from any backend
Azure API Apps : API Gateway- for building and consuming the APIs in cloud.Route APIs to Azure services
Azure Service Bus : Service Bus – A reliable MaaS (Messaging-as-a-S) and simple hybrid integration
Azure Stream analytics : Serverless Real-time analytics, from cloud to edge
Azure Logic Apps : Schedule,Automate and Orchestrate tasks, business processes and workflows. Ent Saas and Ent apps integration
Azure API Management : Hybrid, Multi-cloud. Put in front of existing APIs to add additional functionality.
Azure Queue storage : Messaging queue – data store for queuing an delivering messages between apps.

Read more

——————- advertisements ——————-

———————————————————

Dev and Mobile tools
Azure SignalR service : Easily adding real-time web functionality to apps. Kind of PUSHER for Azure
Azure App Service : Easy to use service for deploying web apps using .net,node.js, Java, Python, pHP. No need to worry about underlying infra. like HEROKU
Visual Studio : IDE designed for creating apps for Azure. Not visual studio code on laptops.
Xamarin : Mobile-App Framework – Create mobile apps with .Net and Azure.

Azure DevOps services
Azure boards : Similar to Kanban boards. Faster delivery using agile tools (to plan, track and discuss work across teams)
Azure pipelines : CI/CD (contin Integration/Cont Delivery) pipelines (build,test and deploy) with GitHub or any other Git provider
Azure Repos : Unlimited Cloud hosted Private Git Repos for developement
Azure Test plans : Extraordinary testing tools for Test and ship
Azure Artifacts :
Azure DevTest Labs : Easy way to create devtest environments for your devtest requirements

ARM (Azure Resource Manager) : Is an example of IaC (Infrastrucre as Code). Allows programmatically create Azure resources via JSON template.
Azure Quickstart Templates : A library of pre-made ARM templates. Community driven.
——————- advertisements ——————-

———————————————————

Networking services
vNet and Subnet : You have to have a vNet, a broader network CIDR range and that is divided into multiple subnets (private and public for example).
vNet can be 10.0.0.0/16 and 2 subnets can be 10.0.1.0/24 and 10.0.10.0/24 for example
Cloud-Native networking services : Azure DNS, vNet, Azure Load balancer (Transport layer), Azure application load balancer (web apps), Network security groups (firewall)
Enterprise/Hybrid networking service :
Azure Front door : Secure entry point for fast delivery of your global apps
Azure Express route : A superfast connection between on-prem and Azure (50Mbps to 10Gbps)
Virtual WAN : Single operation interface which brings many networking, security and routing functionalities together
Azure Connection : A VPN connecting 2 azure local networks
Virtual Network Gateway : Site to Site VPN between Azure and Local network

Azure Traffic Manager : routing the incoming traffic based on the parameters set.
Weighted, Performance, Priority, Geographic,Mutlivalue, Subnet etc… To which server instance the application request should go.
Azure DNS : allows to create and manage the DNS records (does not allow purchasing the domain names). We can create A record, C-name, SOA, NS record etc…
Azure Load balancer : Operates at transport layer. Can be public facing network or internal network.
Scale Set : allows a group of identical VMs to be added or removed automatically.
More details in the next post. You can find the next section in this series here. For the complete series click here .

Azure Fundamentals (AZ900) certification preparation – short notes-II

Second post from our Azure Fundamentals (AZ900) certification preparation notes. If you haven’t gone through the first post in this series, you can find it here.

This series intents to helps those who are preparing for the AZ900 certification, so that you don’t have to go through the complete documentation. This also helps in your revision if you have already prepared for your exam.

[ Disclaimer : This is not a complete training material for the certification. This is just random (short) notes which we captured from course curricula, which will help the readers for their final revision/rewind before appearing for the exam. We do not offer any guarantee in passing the exam with this content ]

So, let’s get into the contents in this section.

Azure Regions, AZs, Geography and Datacenters

AZ – one ore more DCs. Better practice is to have workload running in 3 AZs for HA. 99.99% SLA
Availability Set : Ensures that the resources are in different racks in same DC. 99.95% SLA

Read more

Fault domain : Grouping of hardware considering to avoid single point of failure
Update domain : Grouping of hardware considering to avoid single point of failure during software update
Region – AZ – Geography (is the data residency and compliance boundary – data will be within the country boundary), a geography will have minimum 2 regions at a far physical distance
Recommended Region : broadest service capabilities. Supports AZs.
Alternate (other) Region : A region within the data residency boundary (Geography) having recommended region as well. Not designed to support AZs.
——————- advertisements ——————-

———————————————————

Special Regions : for legal and compliance requirements basically for governments. China and US are having a few special regions (US DoD Central, US Gov Virginia, US Gov Iowa, China East etc…) .
Three categories of services
Foundational : Once the service is GA, it will be immediately (or in 12 months) be available in all (recommended and Alternate) regions
Mainstream : Once the service is GA, it will be immediately (or in 12 months) be available in recommended regions. Available in Alternate regions based on customer request
Specialized : Available in any region as per customer request.
Compute services
Azure VMs : Most common type of Compute service. Choose your own OS and hardware requirements. Underlying hardware will be shared with other customers.
Azure container service : Docker as a service. Run containers without having any servers or VMs.
Azure Kubernetes Service (AKS) : K8s as a service. to deploy,manage scale cotinerized apps. Open source K8 software.
Azure Service Fabric : Tier-1 Enterprise container as a service. Distributed systems platform. On Azure or On-premises.
– Easy to package, deploy and manage scalable and reliable microservices (A Cont service or AKS instance maybe)
Azure functions : serverless compute. No need to provision/manage any servers.
Azure batch : plans,schedules and executes batch computer workloads.

——————- advertisements ——————-

———————————————————

Storage Services
Azure Blob storage : Object storage
Azure Disk storage : Block storage
Azure File storage : NAS
Azure Queue storage: Messaging queue for apps (SNS in AWS)
Azure Table storage: NoSQL database table storage
Azure databox/databox heavy : For moving TB/PBs of storage. Snowball example
Azure Archive storage: Cheap long-term cold storage. (Glacier example)
Azure datalake storage: Centralized repo for all structured/unstructured data at any scale (bigdata)

Database services
Azure Cosmos DB : Fully managed NoSQL DB
Azure SQL DB : Fully managed MS SQL DB
Azure DB for MySQL/PSQL/MariaDB : Fully managed MySQL,PostgreSQL,MariaDB scalable and high available.
SQL server on VMs : MS SQL engine on VMs. Lift-n-shift MS SQL servers from on-prem to cloud
Azure synapse analytics (Azure SQL data warehouse) : fully managed data warehouse on cloud. security and scale
Azure DB migration service : to migrate your DB to cloud without any changes.
Azure cache for Redis : (Open-source) Redis caching for your DBs for performance.
Azure table storage : Wide column NoSQL DB – A NoSQL store that hosts unstructured data independant of schemas

More details in the next section. You can find the next section in this series here. Click here for the complete series.

1 2 3 4