Quick Study Guide for AZ-900 Azure Fundamentals

Short summary on the resources I used and the Cheat Sheet I created to study for the exam. I took me 2 weeks to watch the courses, create the cheat sheet, do the simulates and go finally do the exam.

Resources used to Prepare for the Exam

Below is a list with all the resources I used to prepare for the Exam. I went through all of them, and I created the Cheat sheet (below) from the content of these resources.

1. Official Microsoft certification documentation and study material. I did the full course: https://docs.microsoft.com/en-us/learn/certifications/azure-fundamentals/
2. Pluralsight course for the Certification. I did after I finished the Microsoft official course. I did this one because my company had the subscription for it, but you can take it from any other website (Udemy, for example): https://app.pluralsight.com/paths/certificate/microsoft-azure-fundamentals-az-900
3. Simulate (I could use it because my company was paying to access the “ESI” platform): https://esi.microsoft.com/getcertification
4. Another blogpost with a nice cheat sheet, explaining his steps to study / pass the exam: https://servian.dev/azure-az-900-exam-preparation-guide-how-to-pass-in-3-days-dabf5534507a
5. Doc from Microsoft with all the topics that the exam will cover. It was somehow useful to check if I had studied everything, but it was not complete / up-to-date: https://aka.ms/az-900examguide

Cheat sheet (Last update on May 2022 — can be outdated)

This is the Cheat sheet I created to study for the exam.

Cloud Models

Public Cloud: Services are offered over the public internet and available to anyone who wants to purchase them. Benefits: High availability. Scalability, Elasticity, Agility, Geo-Distribution, Disaster Recovery

Private Cloud: A private cloud consists of computing resources used exclusively by users from one business or organization.

Hybrid Cloud: computing environment that combines a public cloud and a private cloud by allowing data and applications to be shared between them.

Cloud bursting: when the on-premises compute infrastructure is saturated, cloud-based resources come online to address the increased workload.

CapEx — Capital Expenditure: is the up-front spending of money on physical infrastructure, and then deducting that up-front expense over time. The up-front cost from CapEx has a value that reduces over time via depreciation or amortization.

OpEx — Operational Expenditure: is spending money on services or products now, and being billed for them now. You can deduct this expense in the same year you spend it. There is no up-front cost, as you pay for a service or product as you use it.

IaaS — Infrastructure as a Service: closest to managing physical servers; a cloud provider will keep the hardware up-to-date (including storage), but operating system maintenance and network configuration is up to you as the cloud tenant.

PaaS — Platform as a Service: The cloud provider manages the virtual machines and networking resources, and the cloud tenant deploys their applications into the managed hosting environment. For example, Azure App Services

SaaS — Software as a Service: cloud provider manages all aspects of the application environment

Consumption and fixed cost models:
- Consumption-based price: You are charged for only what you use. This model is also known as the Pay-As-You-Go rate.
- Fixed price: You provision resources and are charged for those instances whether or not they are used.

Core Components

Region: A region is a geographical area on the planet that contains at least one but potentially multiple datacenters
Availability zones: physically separate data centers within an Azure region.
Azure region pairs: Each Azure region is always paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away.
Resources: Resources are instances of services that you create, like virtual machines, storage, or SQL databases.
Resource groups: Resources are combined into resource groups, which act as a logical container into which Azure resources like web apps, databases, and storage accounts are deployed and managed. are also a scope for applying role-based access control (RBAC) permissions. When locking a resource group, you also lock all resources contained in that group, also you cannot add/remove resources when it’s locked. A Resource Group can contain resources from any region.
Subscriptions: A subscription groups together user accounts and the resources that have been created by those user accounts. For each subscription, there are limits or quotas on the amount of resources that you can create and use. You can use it to segregate by: Billing, Access Control, Subscription limits, Environments, Organization Structures.

• Free trial: A free trial subscription provides you with 12 months of popular free services, a credit to explore any Azure service for 30 days, and more than 25 services that are always free.
• Pay-as-you-go: A pay-as-you-go subscription lets you pay for what you use by attaching a credit or debit card to your account. Organizations can apply for volume discounts and prepaid invoicing.
• Member offers: Your existing membership to certain Microsoft products and services might provide you with credits for your Azure account, and reduced rates on Azure services. For example, member offers are available to Visual Studio subscribers, Microsoft Partner Network members, Microsoft for Startups members, and Microsoft Imagine members.

Management groups: These groups help you manage access, policy, and compliance for multiple subscriptions. All subscriptions in a management group automatically inherit the conditions applied to the management group.

Azure Resource Manager — ARM: Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You can: 1) Manage your infrastructure through declarative ARM template: JSON file that defines what you want to deploy to Azure. 2) Apply access control to all services because RBAC is natively integrated into the management platform

Role-based Access Control — RBAC: built-in roles that describe common access rules for cloud resources. RBAC uses an “allow” model. When you’re assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. From a “Resource” you grant “Roles’’ to “Users”. There are 3 standard Roles:

• Owner Role: Lets you manage everything, including access permissions to resources.
• Contributor: Lets you manage, except granting access to resources
• Reader: Lets you view everything, but not make changes

Resource Lock: prevents resources from being accidentally deleted or changed. It can be: CanNotDelete or ReadOnly.

Azure Management Tools

The Azure portal: web-based user interface, you can access virtually every feature of Azure.
The Azure mobile app: provides iOS and Android access to your Azure resources when you’re away from your computer.
Azure PowerShell: is a shell with which developers and DevOps and IT professionals can execute commands called cmdlets (pronounced command-lets). Can run both on Windows and Linux.
Azure CLI: The Azure CLI command-line interface is an executable program to execute commands in Bash.
Azure Cloud Shell: an interactive, authenticated, browser-accessible shell for managing Azure resources. Works with either Bash or PowerShell. Time out after 20min. The machine hosting Cloud Shell is free, with a prerequisite of a mounted Azure Files share. You need a Storage Account for this.
ARM templates: Azure Resource Manager templates (ARM templates), you can describe the resources you want to use in a declarative JSON format. The benefit is that the entire ARM template is verified before any code is executed to ensure that the resources will be created and connected correctly.

Networking

Azure Virtual Network (VNet): Connects VMs to incoming virtual private network (VPN) connections.
Subnet: Within each virtual network address range, you can create one or more subnets that partition the virtual network’s address space
Route table: A route table allows you to define rules about how traffic should be directed. You can create custom route tables that control how packets are routed between subnets.
Network security group — NSG: Network security groups have security rules that enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. You create the network security group separately for reuse. It works as “Allow” and “Deny”. They are numbered rules, 0 has highest priority. Rules are stateful, so if you allow inbound, then automatically you will be allowing outbound as well.
Application security group — ASG: ASGs are used within a NSG to apply a network security rule to a specific scope (resource group, for example). This provides the capability to group VMs into associated groups or workloads, simplifying the NSG rule definition process. This facilitates when you automate your deployments with apps that can be scaled, and you don’t need to constantly change the NSGs. Create ASG pointing to a scope (resource) -> Create a network rule rule on NSG pointing to the ASG (which then, points to the resources)
VM internet: A VM in Azure can’t connect to the internet by default. You can enable incoming connections from the internet by assigning a Public IP Address (this is a Resource) to the VM or by putting the VM behind a public load balancer.
Virtual Network Peering: connect VNets together — they can be in different regions. Traffic flows privately via the MS network.
Private Endpoint and Azure Private Link: You can create a Private Endpoint using Azure Private Link to securely connect (linking) to Azure PaaS services outside VNET from inside VNET. Ex.: Bring Azure Storage into your VNet.
NAT Gateway (Network Address Translation): A NAT gateway is a fully managed and highly resilient Network Address Translation (NAT) service. Provides outbound access of private subnets to the internet. The instance on a private subnet sends internet bound traffic to NAT gateway. NAT gateway sends the traffic to the internet gateway.
BastionHost: service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS.
Service endpoints: use it to connect VM to other Azure resources. This approach improves security and provides optimal routing between resources.
Azure VPN Gateway: encrypted over the internet — Accesses Azure Virtual Networks through high-performance VPN gateways.

• Point-to-site virtual private networks: The typical approach to a virtual private network (VPN) connection is from a computer outside your organization, back into your corporate network. In this case, the client computer initiates an encrypted VPN connection to connect that computer to the Azure virtual network.
• Site-to-site virtual private networks: A site-to-site VPN links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet.
• Connect two VNets over the Internet.

Azure ExpressRoute: not encrypted under MS and partner network — Connects to Azure over high-bandwidth dedicated secure connections. provides a dedicated private connectivity to Azure that doesn’t travel over the internet, this offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet
Azure ExpressRoute Direct: fastest ExpressRoute — more expensive. Up to 100 GBPS. Good for migrations, for example.
Azure Load Balancer: Balances inbound and outbound connections to applications or service endpoints. Can use it to allow incoming traffic from the Internet — Public Load Balancer.
Azure Application Gateway: Optimizes app server farm delivery while increasing application security. You can: SSL, Autoscale, Advanced Routing (based on HTTP Headers, for example), it has Web Application Firewall,
Azure DNS: Provides ultra-fast DNS responses and ultra-high domain availability.
Azure Traffic Manager: Distributes network traffic across Azure regions worldwide.
Azure Content Delivery Network — CDN: Delivers high-bandwidth content to customers globally.
Azure Network Watcher: Monitors and diagnoses network issues by using scenario-based analysis.
Azure DDoS Protection: Protects Azure-hosted applications from distributed denial of service (DDOS) attacks. Service tiers: Basic (free) and Standard (paid). Can be shared across multiple Subscriptions.
Azure Firewall: Implements high-security, high-availability firewall with unlimited scalability. managed cloud-based network security service that protects your Azure Virtual Network resources.
User-defined routes — UDR: Allows network administrators to control the routing tables between subnets within a VNet, as well as between VNets. Ex.: when you want all outbound traffic to the internet to pass over a specific route / service so you can monitor / control it.

Compute

Azure Virtual Machines: Windows or Linux virtual machines (VMs) hosted in Azure.
Azure Dedicated Host: provides dedicated physical servers to host your Azure VMs for Windows and Linux. Usually for compliance reasons. Is subscription specific (not shared).
Azure Virtual Machine Scale Sets: Scaling for VMs hosted in Azure.
Azure Container Instances — ACI: Containerized apps run on Azure without provisioning servers or VMs. fastest and simplest way to run a container in Azure. Only Azure File for storage when using ACI.
Azure Kubernetes Service — AKS: Cluster management for VMs that run containerized services. is a complete orchestration service for containers with distributed architectures and large volumes of containers.
Azure Container Registry: Microsoft’s own hosting platform for Docker images.
Azure App Service: With Azure App Service, you can quickly build, deploy, and scale enterprise-grade web, mobile, and API apps running on any platform. Can also deploy Container files. You can meet rigorous performance, scalability, security, and compliance requirements while using a fully managed platform to perform infrastructure maintenance. App Service is a platform as a service (PaaS) offering. It has a Tier option, which allows you to indicate if you want to run on a shared VM or dedicated VM.
Azure Service Fabric: Distributed systems platform that runs in Azure or on-premises.
Azure Batch: Managed service for parallel and high-performance computing applications.
Azure Functions: An event-driven, serverless compute service. When you’re concerned only about the code running your service, and not the underlying platform or infrastructure, using Azure Functions is ideal. Functions are commonly used when you need to perform work in response to an event: HTTP request, a new message on a queue, or a message on a timer, event from another Azure service, and when that work can be completed quickly, within seconds or less. Can be written in: C#, Python, JavaScript, Typescript, Java, and PowerShell
Azure Logic Apps: Low-Code / No-Code development platform to help automating business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations. Workflows can be triggered by other Azure Services / other connectors. Logic apps are similar to functions.

Storage

Azure Disk Storage: provides disks for Azure virtual machines. It comes on SSD (mission critical) or HDD (non-mission critical) disks.

Azure Blob storage: Object storage service for very large objects, such as video files or bitmaps.

• Hot access tier: Optimized for storing data that is accessed frequently (for example, images for your website).
• Cool access tier: Optimized for data that is infrequently accessed and stored for at least 30 days
• Archive access tier: Appropriate for data that is rarely accessed and stored for at least 180 days, with flexible latency requirements. Not available on Account level.

Azure File storage: fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) and Network File System (NFS) protocols. Azure file shares can be mounted concurrently by cloud or on-premises deployments of Windows, Linux, and macOS.
Azure Queue storage: A data store for queuing and reliably delivering messages between applications.
Azure Table storage: Table storage is a service that stores non-relational structured data (also known as structured NoSQL data) in the cloud, providing a key/attribute store with a schemaless design.
Azure Data Box: lets you send terabytes of data into and out of Azure in a quick, inexpensive, and reliable way. The secure data transfer is accelerated by shipping you a proprietary Data Box storage device.
Azure Data Box Gateway: cloud storage gateway device that resides on your premises and sends data to Azure. This cloud storage gateway is a virtual machine provisioned in your hypervisor. You write data to this virtual device using the NFS and SMB protocols, which it then sends to Azure.
AzCopy: command-line tool to transfer data in/out of Azure Blob storage.
Azure Storage Explorer: tool to access and manage your Azure Storage accounts. You can: Upload, download, and manage Azure Storage blobs, files, queues, and tables

Redundancy Options:

• Azure geo-redundant storage (GRS) is a storage replication option for geo-redundant systems. It stores three copies of your data in each of two regions.
• Read-access GRS (RA-GRS) is a service that creates geo-redundant replicas of your data in two separate Azure regions, so that your data is always available,
• Locally redundant storage (LRS) stores all replicas in one datacenter. LRS protects data locally by writing to three disks within the datacenter.

Databases

Azure Cosmos DB: fully managed Globally distributed database that supports NoSQL options. It supports: SQL, MongoDB, Cassandra, Tables, and Gremlin APIs.
Azure SQL Database: [most cost-effective for intermittent usage] Fully managed a relational database based on the latest stable version of the Microsoft SQL Server database engine. SQL Database is a high-performance, reliable, fully managed, and secure database. PaaS DB engine. Provides 99.99 percent availability.
Azure SQL Managed Instance: [easier for a Lift and Shift] Fully Managed Azure SQL Database — intelligent, scalable cloud database service that combines the broadest SQL Server database engine compatibility.
Azure Database for MySQL: Fully managed and scalable MySQL relational database with high availability and security.
Azure Database for PostgreSQL: Fully managed and scalable PostgreSQL relational database with high availability and security. It offers “Single Server” or “Hyperscale — Citus” (sharding) deployments — PostgresQL.
Azure Cache for Redis: Fully managed service caches frequently used and static data to reduce data and application latency.
Azure Database for MariaDB: Fully managed and scalable MariaDB relational database with high availability and security.
Azure Database Migration Service: Service that migrates databases to the cloud with no application code changes. can generate assessment reports that provide recommendations to help guide you through required changes prior to performing a migration

Big data

*** There’s a lot of overlapping between these tools ***

Azure Synapse Analytics: Latest analytics tool — go for it, unless you need something more specific — Run analytics at a massive scale by using a cloud-based enterprise data warehouse that takes advantage of massively parallel processing to run complex queries quickly across petabytes of data. You can query data on your terms by using either serverless or provisioned resources at scale

Azure HDInsight: fully managed, open-source analytics service for enterprises. Distributed File systems. Process massive amounts of data with managed clusters of Hadoop clusters in the cloud. You can run popular open-source frameworks and create cluster types such as Apache Spark, Apache Hadoop, Apache Kafka, Apache HBase, Apache Storm, and Machine Learning Services. Also supports (ETL), data warehousing, machine learning, and IoT.

Azure Databricks: Integrate this collaborative Apache Spark-based analytics service with other big data services in Azure.

Azure Data Lake Analytics: on-demand analytics job service that simplifies big data. Instead of deploying, configuring, and tuning hardware, you write queries to transform your data and extract valuable insights. The analytics service can handle jobs of any scale instantly by setting the dial for how much power you need. You only pay for your job when it’s running, making it more cost-effective.

AI

Azure Machine Learning Service: Cloud-based environment you can use to develop, train, test, deploy, manage, and track machine learning models. It can auto-generate a model and auto-tune it for you. It will let you start training on your local machine, and then scale out to the cloud.

Azure ML Studio: Collaborative visual workspace where you can build, test, and deploy machine learning solutions by using prebuilt machine learning algorithms and data-handling modules.

Azure Cognitive Services: provides prebuilt machine learning models that enable applications to see, hear, speak, understand, and even begin to reason. Use Azure Cognitive Services to solve general problems, such as analyzing text for emotional sentiment or analyzing images to recognize objects or faces.

• Language services: Allow your apps to process natural language with prebuilt scripts, evaluate sentiment, and learn how to recognize what users want.
• Speech services: Convert speech into text and text into natural-sounding speech. Translate from one language to another and enable speaker verification and recognition.
• Vision services: Add recognition and identification capabilities when you’re analyzing pictures, videos, and other visual content.
• Form Recognizer: extract text from forms coming from pictures
• Decision services: Add personalized recommendations for each user that automatically improve each time they’re used, moderate content to monitor and remove offensive or risky content, and detect abnormalities in your time series data.

Azure Bot Service: platforms for creating virtual agents that understand and reply to questions just like a human. Azure Bot Service is a bit different from Azure Machine Learning and Azure Cognitive Services in that it has a specific use case.

Web

Azure App Service: Quickly create powerful cloud web-based apps.

Azure Notification Hubs: Send push notifications to any platform from any back end.

Azure API Management: Publish APIs to developers, partners, and employees securely and at scale.

Azure Cognitive Search: Deploy this fully managed search as a service.

Azure SignalR Service: Add real-time web functionalities easily.

DevOps

Azure DevOps Services: large / complex enterprise wide projects. is a suite of services that address every stage of the software development lifecycle.

• Azure Repos is a centralized source-code repository where software development, DevOps engineering, and documentation professionals can publish their code for review and collaboration.
• Azure Boards is an agile project management suite that includes Kanban boards, reporting, and tracking ideas and work from high-level epics to work items and issues.
• Azure Pipelines is a CI/CD pipeline automation tool.
• Azure Artifacts is a repository for hosting artifacts, such as compiled source code, which can be fed into testing or deployment pipeline steps.
• Azure Test Plans is an automated test tool that can be used in a CI/CD pipeline to ensure quality before a software release.

GitHub: Usually smaller or open source projects. GitHub builds on top of Git to provide related services for coordinating work, reporting and discussing issues, providing documentation, and more.

GitHub Actions: enables workflow automation with triggers for many lifecycle events. One such example would be automating a CI/CD toolchain.

Azure DevTest Labs: Quickly create on-demand Windows and Linux environments to test or demo applications directly from deployment pipelines.

IoT

IoT Central: Fully managed global IoT Platform as a Service (PaaS) solution that makes it easy to connect, monitor, and manage IoT assets at scale.

Azure IoT Hub: Messaging hub that provides secure communications between and monitoring of millions of IoT devices.

Azure Sphere: when security is critical, use Azure Sphere. creates an end-to-end, highly secure IoT solution for customers that encompasses everything from the hardware and operating system on the device to the secure method of sending messages from the device to the message hub.

IoT Edge: Fully managed service that allows data analysis models to be pushed directly onto IoT devices, which allows them to react quickly to state changes without needing to consult cloud-based AI models.

Azure Monitoring Tools

Azure Advisor: Recommendations to cut costs or optimize your cloud environment. evaluates your Azure resources and makes recommendations to help improve reliability, security, and performance, achieve operational excellence, and reduce costs.

Azure Monitor: track how services are performing and diagnose issues. platform for collecting, analyzing, visualizing, and potentially taking action based on the metric and logging data from your entire Azure and on-premises environment. It starts collecting data when you add a resource to a subscription.

Application Insights: is a feature of Azure Monitor that provides extensible application performance management (APM) and monitoring for live web apps. Developers and DevOps professionals can use Application Insights to:

• Automatically detect performance anomalies.
• Help diagnose issues by using powerful analytics tools.
• See what users actually do with apps.
• Help continuously improve app performance and usability.

Alerts: is a feature of Azure Monitor that proactively notify you when issues are found with your infrastructure or application using your monitoring data in Azure Monitor

Azure Service Health: monitor status of Azure Services and monitor outages. personalized view of the health of the Azure services, regions, and resources you rely on.

Azure Status: provides a global view of the health of Azure services and regions. If you suspect there’s an outage, this is often a good place to start your investigation.

Azure Identity services

Authentication: is the process of establishing the identity of a person or service that wants to access a resource.

Authorization: is the process of establishing what level of access an authenticated person or service has.

Azure AD: is Microsoft’s cloud-based identity and access management service. It provides: Authentication, Single sign-on (SSO), MFA, Application Management and Device Management.

Azure AD Domain Services: this is the cloud version of AD — provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication.

Azure AD Connect: connect your existing Active Directory installation with Azure AD. it syncs AD and Azure AD. Provide Self-service pass reset.

Azure AD Multi-Factor Authentication: service that provides multi factor authentication capabilities

Conditional Access: tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. Provides a more granular multifactor authentication experience for users. For example, a user might not be challenged for second authentication factor if they’re at a known location. However, they might be challenged for a second authentication factor if their sign-in signals are unusual or they’re at an unexpected location.

Azure Security

Azure Security Center: monitoring service that provides visibility of your security posture across all of your services, both on Azure and on-premises. It generates a “Secure score”, so you can compare / track your situation.

• Monitor security settings across on-premises and cloud workloads.
• Automatically apply required security settings to new resources as they come online.
• Provide security recommendations that are based on your current configurations, resources, and networks.
• Continuously monitor your resources and perform automatic security assessments to identify potential vulnerabilities before those vulnerabilities can be exploited.

Microsoft Defender for Cloud: provides security recommendations and suggests remediation actions, including suggestions for which remediations should take priority. Microsoft Defender for Cloud is designed to help to protect Azure cloud, non-Azure cloud, and hybrid computing resources through a set of security tools.

Regulatory Compliance Dashboard: provides insights into your compliance posture based on how you’re meeting specific compliance requirements. You can find an overall compliance score and the number of passing and failing assessments

Azure Sentinel: Microsoft’s cloud-based SIEM system. It uses intelligent security analytics and threat analysis. security information and event management (SIEM) system. A SIEM system aggregates security data from many different sources (as long as those sources support an open-standard logging format). It also provides capabilities for threat detection and response.

Azure Key Vault: centralized cloud service for storing an application’s secrets in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities.

• Manage secrets You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
• Manage encryption keys You can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys that are used to encrypt your data.
• Manage SSL/TLS certificates Key Vault enables you to provision, manage, and deploy your public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for both your Azure resources and your internal resources.
• Store secrets backed by hardware security modules (HSMs) These secrets and keys can be protected either by software or by FIPS 140–2 Level 2 validated HSMs.

Cloud Governance, Regulatory and Compliance

Use Tags to organize your Azure Resources: Tags are key-value pairs that you can add to any Azure resource. You can enforce / auto create tags by using Azure Policy. Tags provide extra information, or metadata, about your resources. Use tags to control costs, enforce security requirements.

Azure Policy: service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules across all of your resource configurations so that those configurations stay compliant with corporate standards.

Azure Policy enables you to define both individual policies and groups of related policies, known as Initiatives — these are a collection of Policies. The Initiatives are then assigned to a scope (such as resource group). Azure Policy evaluates your resources and highlights resources that aren’t compliant with the policies you’ve created. Azure Policy can also prevent noncompliant resources from being created.

Azure Blueprints: You can define a repeatable set of governance tools and standard Azure resources that your organization requires to be reused on multiple subscriptions — orchestrates the deployment of various resource templates and other artifacts, such as: role assignments, policy assignments, ARM templates…

Cloud Adoption Framework: provides you with proven guidance to help with your cloud adoption journey. Define strategy, Plan, Ready, Adopt, Govern and Manage.

Compliance Offerings: offerings are grouped under four categories: Global, US Government, Industry, and Regional https://docs.microsoft.com/en-us/compliance/regulatory/offering-home

Microsoft Trust Center: showcases Microsoft’s principles for maintaining data integrity in the cloud and how Microsoft implements and supports security, privacy, compliance, and transparency information in all Microsoft cloud products and services.

Azure Government: separate instance of the Microsoft Azure service. It addresses the security and compliance needs of US federal agencies, state and local governments, and their solution providers

Azure China 21Vianet: is operated by 21Vianet. It’s a physically separated instance of cloud services located in China.

Azure SLA

Azure SLAs: https://azure.microsoft.com/en-us/support/legal/sla/

SLA is the minimum time that Azure commit the service will be available to use. If the service is offline for a longer time than SLA, Azure will provide credits for the customers.

Azure offers 99.9% SLA on most Azure products

Combine SLAs to compute the composite SLA: The process of combining SLAs helps you compute the composite SLA for a set of services. Computing the composite SLA requires that you multiply the SLA of each individual service.

Include redundancy to increase availability: you can use Availability Zones or Regions.To achieve maximum availability in your application, add redundancy to every single part of the application.

Azure preview services and preview features: After a service / feature is developed and tested, the service is released to the public preview phase. During this phase, the public can access and experiment with it and provide real-world feedback.

Managing Azure Costs

TCO Calculator: The TCO Calculator helps you estimate the cost savings of operating your solution on Azure over time compared to operating in your on-premises datacenter. With the TCO Calculator, you’ll enter the details of your on-premises workloads. Then you can review the suggested industry-average cost (which you can adjust) for related operational costs. These costs include electricity, network maintenance, and IT labor. You’re then presented with a side-by-side report. Using the report, you can compare those costs with the same workloads running on Azure.

Pricing Calculator: help defining which Azure Services best fits your budget.The Pricing calculator displays Azure products in categories. You can add these categories to your estimate and configure according to your specific requirements. You’ll then receive a consolidated estimated price, with a detailed breakdown of the costs associated with each resource you added to your solution: https://azure.microsoft.com/en-us/pricing/calculator/

Azure Billing: azure service to organize your costs and invoice.

• Billing Account: When you sign in to Azure, a Billing Account is used to track costs of your azure services and manage billing. Each Billing Account has at least one Billing Profile.
• Billing Profile: let you manage your invoice and payments method. A monthly invoice is generated to a Billing Profile. Each Billing Profile contains at least one Invoice Section.
• Invoice Section: track and allocate costs based on your needs: project, department, dev env… The invoice sections are linked to a Subscription. Billing occurs on Subscription level: 1 subscription for each Billing.

Azure Cost Management: is a free service that helps you understand your Azure bill, manage your account and subscriptions, monitor and control Azure spending, and optimize resource use.

Azure Advisor: Also provides cost recommendations based on Azure products we are using

What factors affect cost? Resource type, Usage, Location, Network Traffic (in&out between billing zones), Azure subscription types

Best practices to minimize costs:

• Use spending limits to restrict your spending
• Use Azure Reservations to prepay: Azure Reservations offers discounted prices on certain Azure services. Azure Reservations can save you up to 72 percent as compared to pay-as-you-go prices. To receive a discount, you can reserve services and resources by paying in advance.
• Deallocate virtual machines during off hours and Delete unused resources
• Migrate from IaaS to PaaS services: Not only are PaaS services such as Azure SQL Database often less expensive to run, but because they’re managed for you, you don’t need to worry about software updates, security patches, or optimizing physical storage for read and write operations.
• Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It can be used when you have a Software Assurance agreement. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure.