Pass Microsoft Certified Azure Fundamentals Certification Exams in First Attempt Easily

Microsoft Certified Azure Fundamentals Certification Practice Test Questions, Microsoft Certified Azure Fundamentals Exam Practice Test Questions

Want to prepare by using Microsoft Certified Azure Fundamentals certification exam practice test questions efficiently. 100% actual Microsoft Certified Azure Fundamentals practice test questions and answers, study guide and training course from Exam-Labs provide a complete solution to pass. Microsoft Certified Azure Fundamentals exam practice test questions and answers in VCE Format make it convenient to experience the actual test before you take the real exam. Pass with Microsoft Certified Azure Fundamentals certification practice test questions and answers with Exam-Labs VCE files.

AZ-900 Course for 2020 - Understand core Azure services

2. Core Azure Compute products

The next section of the exam describes some of the core products available in Azure. So what I'm going to do is basically go through a list of around 20 services that Azure provides, broken out into categories. I'll go through them one by one; I'll describe them to you, some of those features and benefits, why you would choose to use them, and perhaps even something about pricing. And finally, I'll probably include some real-life examples that you can use to see why this fits into your solution. Now there are quite a few—like I said, around 20. So I'll go through them one by one. Now, the services in Azure are broken into these four main categories. We're going to talk about compute services, we're going to talk about networking, we're going to talk about storage, and we're going to talk about databases. So first off, compute. Now, the concept of computing is that you're going to take some workload and you're going to push it into the cloud, and you're going to ask that Microsoft Azure, in this case, execute that workload for you.

That could be a website; that could be a batch process—processing some data or storing something. It is something that you want to get done that requires computing services that you can push into the cloud. Now, Microsoft does provide many different ways of executing code in the cloud. So there's not just one way. First up are the virtual machines. Now, to me, this is the star of the show. This is what they used to call infrastructure as a service. This was sort of the first advent of cloud computing, when you wanted to take a machine that you had running in your own data centre and transfer it wholesale into the cloud. And so AWS provides that. Azure provides that. You're basically just running a Windows or a Linux machine in the cloud. So in the concept of Azure, this is called a virtual machine. And like I said, you do get the choice between operating systems, either Windows or Linux. You have many different flavours of Windows on your computer—ten desktop and several server versions going back several years. If you have a specific requirement for aversion of Windows, you can get that. They also have many different distros of Linux. Now, Linux is surprisingly popular within Microsoft Azure, but it is in fact one of the most popular options for operating systems. You can get everything from Red Hat to Ubuntu and many other Linux distributions. Now, the concept here is that the machine that is running in the cloud is what's called a virtual machine. That means that you don't have control of an entire computer.

So it is not a physical machine that you have control over. It is a slice or a subdivision of a physical machine. And that's why it's called a virtual machine. Now, when you've created a virtual machine and logged into it, you have full control over it, just as if you had a machine at your feet. You can install software, upgrade the version of Windows, install patches, and put files into the file system. It is a version of Windows, albeit a slightly modified version of Windows, but it is 99% identical to the Windows that you would use and have full control over, as I previously stated. And so within Microsoft Azure, there are over 200 types of virtual machines. These are combinations of memory and CPU size and the various bandwidths and other things that you get to choose. No, you do not get to specify the exact number of gigabytes and the exact amount of CPU that you need. You only have to choose from those 200 options. But within that, there are so many options, you're likely to find something that is quite compatible with what you need. Now, the concept of virtual machine scale sets takes the concept of virtual machines and builds on it so that you can have multiple virtual machines running the same application under what's called a load balancer. and we'll talk about that in the networking section. But if you want to have your website insteadof being served by a single computer, you havefour or five computers doing that work, then thatis what a virtual machine scale set can provide. Now, the reason you would do that is what's called availability.

So if one of your virtual machines were to fail or need to be rebooted to apply a security patch, then you still have other virtual machines doing the work, and the customers who are using them would not see any downtime. So a virtual machine scale set is a way of growing an application across multiple servers that increases availability. And there's also no artificial restriction on the amount that you can grow in a virtual machine. There is a maximum size, maximum number of CPUs, maximum amount of disk, and so on. But within a virtual machine scale set, you can literally have 100 or 1000 servers running in a single scale set. And then if you scale that out, you can have multiple scale sets. And so there's no limit to how much you can horizontally scale, whereas there is a limit to how much you can vertically scale. The next step is the Azure App Service. From a paradigm standpoint, App Services differs from a virtual machine. Now obviously, there are still computers running behind the scenes to execute your code, but you don't get access to them. So what Microsoft is doing here is what's called "Platform as a Service." They're going to take your code and your configuration and promise you that they'll run that code to a specific level of performance that you've paid for. But again, you do not have access to the computer. So you cannot install any kind of software that you want. You do not have access to the C drive. You do not have the ability to tweak registry settings.

The computer is running within Microsoft's environment, and they control it. And all they're doing is promising you a level of performance within your application. So this is a slightly different model. Pricing is going to be very similar to a virtual machine that would cost you, let's say, $100. The App Service might also cost you around $100. But the App Services provide a lot more features that are friendly for developers. So there are plugins that allow you to interact with an app service directly from Visual Studio. There are other types of pipelines that DevOpscan uses to put app services together. There are many different features that you can use in an app service that are not generally available within a virtual machine. And so these app services are looked at as a more developer-friendly model. Now, I used to talk about functions in this course. The functions are no longer on the AZ 900 exam. So you don't really need to know them, but just know that there are small pieces of code that can run in the cloud similar to an App Service, but you don't even need to develop them outside of Azure. You can just log into the portal. There's an editor available within the portal, and you can write your code directly into Azure. So it's almost like the smallest piece of code that you can edit directly within Azure and have Azure run for you. But it's not on the exam. The final two options for Compute areunder what's called the Container model. Now, Azure Container Instances, or ACI, are what Azure says is the quickest way to get a containerized application running in the cloud. So within a minute, you can deploy a container image into Azure using an Azure Container Instance.

On the other end of the spectrum, the Azure Kubernetes service runs on a cluster of computers, requires an orchestrator and master node, and then a bunch of worker nodes. As a result, it's a little more difficult and expensive. But it is enterprise grade. It does have self-healing capabilities and scaling capabilities, whereas the AzureContainer instance is a single instance. There is no scaling involved. It is basically the quickest way that you can get a code launched. The Azure Kubernetes service, on the other hand, is bulletproof enterprise-grade code. Now, containers in general are just another model for deploying code. So we talked about app services being a very developer-friendly model. Well, containers are a very deployment-friendly model. So you create an image that contains everything that your programme needs to run. And once that image has been created, that same image can get deployed to development, staging, and production with no modifications. And so, deploying an image takes very little time. It could take seconds once you've created that image. Whereas with App Service or with Virtual Machines, there's manual effort involved in getting the deployment done, but it's a lot more developer-friendly, at least with App Service, so hopefully that makes sense. That's the Azure Compute Services.

3. Core Azure Networking products

Now, the next type of CoreAzure service is called Networking Services. Now, you might think of networking in terms of connectivity, right? You put a device onto a physical network, and that allows those devices to talk to each other. But within cloud computing and Microsoft Azure networking, there are four categories of services. Those are the connectivity services, protection services, delivery services, and monitoring services. Let's talk about each of those and what Azure provides in that area. So the most obvious are connectivity services. The basic unit of a network in Microsoft Azure is called a virtual network. So when you create a virtual machine, you have to create a virtual network or place it on an existing virtual network. There's no concept of a virtual machine without a virtual network. The Virtual Network is further subdivided into subnets.

So each virtual network has one or more subnets. Now, you can keep those subnets securely separated from each other. There's a thing called Network Security Groups that allows you to protect that. We'll talk about that in the next section. Now, the thing to keep in mind is that Microsoft has all the hardware and cabling already installed. They do not go and plug in new cables and install new hardware when you go and ask for a new virtual machine or a new virtual network. So a virtual network is all software? This is just a database entry in a table. So you've got the physical network underlying everything. And then on top of that, the Azure Fabric is able to pretend like your virtual machines exist on their own network. Another concept within networking connectivity is the virtual private network, or VPN. Now, you might be familiar with this. If you have a home computer or laptop that can connect to your work computer to access the files there, you typically access those files using a virtual private network. It's the same concept here: a virtual private network as a way of connecting to networks as if they were on the same network. There's a secure, encrypted connection between them. You can do this within two networks within Azure, or you can do this from within your corporate network, connecting to Azure.

There's even the concept of a point-to-site VPN, which is your own desktop computer, in Azure. Finally, the other type of connectivity is called an express route. Now, Express Route is a physical fibre optic cable that needs to be connected between yourself and a high-speed data center. and then that IXP is connected to Microsoft Azure. And so it's basically not travelling over the public Internet. It's a private connection, high speed—ten gigabits per second, hundred gigabits per second. You choose the speed, and you pay for that. It is the most expensive way of setting up a private connection between yourself and Azure. The second category of network services is called protection. And these cover everything that you would think of as a firewall or some type of privacy measure. So the first one I'll talk about is the Distributed Denial of Service attack. Now, you may have heard of this before: a DDoS attack, where many computers on the Internet all send bad traffic to a single server or a single network, overwhelming that server or that network, and thereby denying access to legitimate customers. So you can imagine, and this has actually happened in real life, that hundreds of thousands of machines around the world, usually virus-infected, compromised machines, are sending bad traffic to your bank's website, and then they ask for a ransom in order to allow legitimate customers access to your bank. It's not like they're hacking into your banksite, but they're just denying you access. And if you go a week without being able to log into your bank account, then your bank is going to want to ensure that you do. and that's going to be a major problem. Now, Microsoft Azure does have a basic level of DDoS protection included.

So Microsoft is going to protect its own network, obviously, from being DDOS'd. It does not include specific DDoS for your own applications. That's an enhancement that you'd have to pay for. Microsoft Azure has a firewall, and this is an intelligent device. They call it a network appliance that sits on your virtual network, and you can configure traffic to travel through that firewall, ensuring that no viruses or bad traffic gets through it and that nobody is trying to send SQL Server instructions through your website, trying to hack into your back end. And so the firewall can handle brute-force attacks and many sophisticated attacks. The network security group is free. We talked about it in the last section of this video, and it's basically what they call an access control list. It is a static list of rules that allow traffic to flow through. And if your traffic does not match one of the rules, then your traffic is denied. The final type of networking protection is called a private link. And this enables you to convert normally public services, such as SQL Database or Azure Storage, into private services. So nobody outside of Azure can even get to the end point. Now all of these services are protected by an access key, or there's a firewall for a SQL database, but if you have a private link, those URLs aren't even exposed to the public Internet.

The third category of networking is called delivery, and anything that distributes traffic or reroutes traffic falls under this header. And that's called a load balancer—an application gateway, which is a more sophisticated form of a load balancer. Azure front door service, which has a load balancer among other services, and finally even a CDN, or content delivery network, which stores static files such as images, CSS files, and JavaScript files closer to your end users to give them the appearance of improved performance. All of these delivery services fall under the networking category. The final category is rather obvious; it is called monitoring. And so in the cloud, it's very difficult to watch traffic go back and forth. You can imagine Microsoft Azure has millions of customers, and so they have products such as Network Watcher and Express Route Monitor that will allow you to watch the traffic travelling over your own network and then debug it. So let's say you're not able to connect. You set up a VPN, but it's not working. You can set up something such as Network Watcher to track that traffic and see where it's being stopped. So those are the networking services and data categories within Microsoft Azure that you need to know about for this exam.

4. Core Azure Storage products

So I call storage one of the three foundational technologies of Azure. And the reason I call it that is because so many other services rely on some type of storage. Any time you're creating a service within Azure that has some kind of logging component, it's going to ask you to create a storage account or specify a storage account. Even a virtual machine can't exist without a storage account. So much of Azure relies on the fact that you have a storage account. Now, there are several types of storage within Azure. The first type we'll talk about is what's called unmanaged storage. Now, this is the original service. If you go back eight years on Azure, you're going to be able to have an Azure Storage account. The most common type of storage account is called a "general purpose V-two" or GPV-2 storage account. That's the latest. There are general-purpose Vone and Blob storage accounts. But you really need a good reason to choose those. General Purpose V-2 is what Microsoft Azure recommends for 99.9% of cases.

Now, a General Purpose V 2 storage account allows you to have four types of files in it. They are blob tables, queues, and files. Now you might see these things talked about separately. And if you go into an unmanaged storage account, there will be four different areas of that storage account discussing these services, but they are all under the same umbrella, managed in the same way, and take the same storage limits. So if your storage account is limited to five petabytes for your storage account, well, the combination of blobs, tables and files all make up that limit. There's another type of storage account called Azure Data Lake Storage, gen 2. And that is just a flag or a type of general-purpose storage account. So when you go to create it on one of the advanced tabs, it's going to ask you if you want your data to be organised in a hierarchical structure, more optimised for big data. So an Azure Data Lake is designed to store petabytes and petabytes of data that can get fed into a data warehouse, et cetera. Now, in general, an Azure storage account and unmanaged storage are the cheapest types of storage that you can get. Current pricing, and it does change from time to time, is around $1.8 per gigabyte. That's all there is to it. So, if you only have a few kilobytes of data, you'll pay the 1.8 cents per month regardless of how many kilobytes you have.

And so, that's extremely cheap storage. You're not going to be able to find cheaper storage in terms of SQL databases, in terms of Cosmos, DB, or any other type of data within Azure has more expensive storage. Now that this storage account has so many options, when you go to create it, you're going to be able to choose a default access tier, whether it's hot or cool. On the individual files in a container, you're going to be able to move them between hot, cool, and archive. Those access tiers basically set the price at which you can store data and you can retrieve data. As a result, you may have requirements where you can store files but never retrieve them. Or you might have cases where you have a small number of files that have a very heavy reading or writing element to them. And so those access tiers allow you to optimise your pricing based on your usage. There are also performance tiers and you can get standard storage or premium storage, and that's going to be obviously optimized for how quickly you get the bytes into and out of the Azure storage account. Of course, you can specify the location for the storage account. It's best to put your storage accounts closest to the applications and servers that use them.

You don't want to have a server in eastern United States with a web app on it accessing a storage account in Germany that cross Atlantic traffic is going to be lengthy, it’s going to have leg, it's going to be expensive. And so put your storage accounts as close to the consumer as possible. When you create storage accounts, you can define the redundancy level. You can have locally redundant storage, zone redundant storage, or global redundant storage—or read access to global redundant storage. Now there's a redundancy that's based on replication zones and availability zones, and so you can have many different reputations, and again, pricing is going to be dependent on that. Recently, Microsoft added failover. So you can have two storage accounts. You create globally redundant storage and then, if you are unable to access your primary server, you can fail over to the secondary region, and basically, that will all be synchronised and waiting for you. Now that was unmanaged storage. There's also managed storage. Now, this is almost exclusively reserved for virtual machine disks. So if you're creating a VM and you need the data disc to be added to it, Microsoft's recommendation is to use managed storage. It's a little bit more expensive than unmanaged storage, but then Microsoft takes some of the burden of some of that stuff off of you, including IO restrictions and things like that. You do have to reserve capacity in advance.

So you're not paying per gigabyte that you use, you're paying per gigabyte that you reserve, and whether you use it or not, you're going to pay. And this really is optimised for pageblocks, which are a virtual hard disk. This randomized read and write occurs within a block. Another type of storage that's sometimes overlooked is backup replication recovery. This is typified by the Recovery Services vault. Now there are recovery services. The Vault serves two purposes. It can be used as backup storage. If you've got virtual machines, you can store backups of those files in a backup storage account. You can also run the Azure job on your local servers to backup to the cloud. and so it is not limited to Virtual Machine or Azure Virtual Machine backups. You can also backup physical servers under your control. with backup storage. You can have retention policies so that files are backed up every day and you only keep them for seven days, and you can set your retention policy as you need. Now, recovery services are also used for replication. The application that is used for replication is called Azure Site Recovery, or ASR. This essentially allows you to duplicate one region into another, for example. And so that file for the replication location is going to be stored in a recovery service fault.

5. Core Azure Database products

Now, I'm going to go out on a limb here and say that most sophisticated applications have some type of database. Now, it may be that an application does nothing but API calls and those services is that support it have databases. But chances are any sophisticated application needs to either read reliably from a database or write reliably to a database. It is a rare thing that your applications involve no data. Now, Microsoft Azure, as you would expect, contains dozens of types of databases. There are so many different vendors out there. And chances are that you're able to find a Microsoft Azure version of the one that you use. Either it's a managed service provided by Microsoft or you'll find it in the Azure Marketplace, which we'll talk about in a second.

Now, there are a couple of types of databases known as relational and non-relational. First we'll talk about the non-relational database, which is called Cosmos DB. Cosmos DB is now designed as a database back end for modern Cloud First applications. And you could think about it in terms of mobile video games and social networks and other things where you can typically have thousands, tens of thousands, hundreds of thousands, or millions of simultaneous users. And so you've got a very sophisticated, fast, lightweight database in the back end. This is sometimes called "No SQL Storage," not because it doesn't use SQL. NoSQL stands for "not only SQL." Now, this is obviously a bit complex. It's called multimodal. That means that Cosmos DB contains many different kinds of data. It's not just one kind of data. You can have a MongoDB backend or Gramlinor Document DB, which is a JSON file. There are five or six different types of data that can be stored in Cosmos DB. You do have to choose this at creation. You don't get to switch back and forth between them. And that means that it supports many open source APIs and protocols that are industry standards. And so, like I said, with MongoDB, with Graph API, or Gremlin DB, that API you might be using on your premises can be migrated into Cosmos DB. And the API doesn't have to change. Now that's a non-relational database. Now, let's talk about relational databases. The most common is the Azure SQL database. Now, the Azure SQL Database is a relational database.

It's running the SQL Server engine behind the scenes. A database service is something that is not 100% parity, but is very close. Some of the features of Azure SQL DB, besides the traditional SQL Server style, are that it makes it very easy to replicate that database to different regions around the world. It's also easy to scale up to larger sizes or scale down. And if you're using SQL Server on premises, it's relatively easy to migrate that into an Azure SQL database. So there are a lot of advantages to that. There are other database back ends besides Sequel Server supported, such as My sequel.Azure Database for MySequel is a managed version of the MySQL database. You can also find my SQL database in the Azure Marketplace or even install it yourself. I think even Azure App Services supports MySQL databases in the local area, which is an open source database. It's pretty common. I think it's about 25% of usage in terms of small applications on the Web. It does make it easy to migrate to Azure if you're using MySQL for your own hosted applications. Most WordPress websites, for example, use a MySQL database as their back end.

As a result, you can migrate your WordPress blog to Azure and use Azure Database for MySQL as the back end. Similarly, another popular open source database is called PostgreSQL, also a relational database. Now, the difference between PostgreSQL and MySQL is that PostgreSQL is designed for clusters of servers. Scaling to a larger number of servers is thus easier in PostgreSQL than in MySQL. Again, if you rely on that type of database, you can migrate to Azure, and Azure has a hosted version of PostgreSQL. You can always use the self-hosted, unmanaged one. You can install it yourself or get it from the marketplace.

Finally, also covered in this exam is the concept of the Azure Database Migration Service. And this is an actual tool that Microsoft provides. On the left are a bunch of different cloud-based database platforms: Google, Cloud, AWS, MongoDB, PostgreSQL, and Oracle. You can migrate any of those data sources through the Database Migration Service into one of the Azure products, whether it's Azure SQL Database, My SQL Database, or a database for Postgres, Sequel, etc. All of this is supported by that tool. Finally, there is the tool called Azure SQL Data Warehouse that's been renamed to set up analytics. It is not on the exam, but I thought I would mention it because it is a database. It's a SQL data warehouse. It's designed for really big data. It is not a transactional database; it's an analytical database. And so there is some processing of the data that happens before you can use it. But it does handle massive queries a lot better than SQL Server would. So those are the types of databases that you can get on Azure. There are a lot more types of databases. I thought I would go over the basics here.

6. Core Azure solutions

One of the things that is obviously big in computing these days is the Internet of Things. That's not going away. And the exam basically requires you to understand. Microsoft does offer a number of "Internet of Things" services to you. So if you have devices, let's say you've got your step counters that are feeding data over the Internet back into Azure. You can use something like the AIoT Hub, which is an Azure service, to ingest that. You can then support millions of records per second. Trying to run that on your own is going to be very difficult. Microsoft has services available for Internet of Things big data, and data analytics is obviously a big thing. The Apache Foundation offers a product called Hadoop. It's an open-source product. You can get most of those Hadoop services within Azure, and that would be under the HD Insight command. HD stands for Hadoop. Now, the last version of this exam wanted you to know about data lake analytics. Now, Microsoft has recently introduced a brand new service called Azure Databricks. And it's something that if you're working with big data, you really should be looking into. So basically it's a centralised service where you're going to be able to pull in data from external sources, manipulate that data if you're going to do some transformations on it or run some analysis on it, and then be able to create the pretty reports and turn that data into something that you can use as business intelligence.

And so all members of the team, from the technical side—the data engineers and programmatic engineers—to the business side—the people who need to understand this data and take action on it—they'll all be using databricks as a central place to view, manipulate, change, import, and export data as we go into the future. Artificial intelligence is a big deal. Microsoft offers machine learning services. These are under their cognitive services model. The machine learning service is going to be like vision APIs, speech APIs, and things like that. Language service. We would understand if you were to speak into a microphone. You can send that to a Microsoft service to interpret it, turn it back into text, and turn those concepts into actionable ones. The serverless model is essentially the highest level of being able to just upload code. You can upload your code into functions or tie these functions together using a logic app, and you do not have to worry about the servers. Microsoft is going to handle the performance. They give you a performance guarantee, and effectively, you're going to pay for consumption of these things. We can also talk about the service fabric being a serverless model. So you can divide your code into microservices, and Microsoft will be able to run those and distribute them. When performance slows down, it basically spins up more services, etc.

7. Azure management tools

One of the requirements of this exam is that we need to understand how we can manage our resources running inside of Azure. So besides the Azure Portal, you have other options that you can use to connect to your resources inside of Azure. Start them, stop them, create them, delete them, and have a full range of management capability for those resources. Now, two of them are the most common: the command-line tools. One is called CLI (command-line interface) and one is called PowerShell. Now, PowerShell might be familiar to Windows users because Windows ships with a tool called PowerShell, which is a powerful scripting language that can be used to automate a number of tasks. There is an SDK for PowerShell, so you can connect to Microsoft Azure from PowerShell and again be able to create, manage, delete, and do all the other things with the Azure resources from within a PowerShell script. Now, the CLI is based on the Bash platform, which is a Linux command line. And so if you come from the Linux world, you're familiar with Bash, and so the CLI commands would be very familiar to you from that point of view. Again, all of these things allow you to do things with your Azure resources via these command lines.

Oftentimes, we work in a business environment. We want to start to automate things. So instead of having to always manually create virtual machines and manually add them into load balancers, writing up scripts in order to get these things done automatically is not only more efficient, but it also reduces the chances of errors. Because once you script something and test it, then it's going to act the same way every time you do it. So you can use the portal, or you can use the command line, which is CLI and PowerShell. Finally, the command-line tools are integrated into the browser, allowing you to access the portal. At the top, there is a greater than sign in underscore, which says Cloud Shell. And when you click it, you are basically given a command-line interface right within your browser. So you don't need to download the SDK to your local computer, and you can have your files all within the Azure Portal and do all your automations from that machine and not have to have it on your local computer. You can see here in the Cloud Shell that you can choose between the PowerShell interface and the BASH CLI interface, and then that's up to you in terms of which one you use. You have the same power to create and manage resources from PowerShell as you do from the Portal.

Microsoft has a tool called Azure Advisor. So when you are actually in the portal, it analyses your use of resources and says, "Oh, here on screen, it says you can save $2,800 a month by following these two recommendations." And so through availability, security, performance, and cost, it's going to make you recommendations based on your actual usage. So it's basically artificial intelligence, or machine learning, that basically analyses your performance. And basically, we can improve your use of Azure through this.

AZ-900 Course for 2020 - Understand security, privacy, compliance, and trust

1. Securing network connectivity

The exam says understanding security, privacy compliance, and trust are worth 25% to 30% of the total score. We can see on screen that this section has a lot of subtopics. So we're talking about virtual networks, network connectivity, and security identity services such as Microsoft Azure Active Directory. We're talking about security tools and features of Azure, which are things like Keyvault, advanced threat protection, et cetera. There's the whole governance thing, which has to do with policies, our back and Azure locks, and things like this. We are also going to be talking about monitoring and reporting options because that's a big part of security in terms of understanding the threats that are occurring. and finally, privacy compliance and data protection. We live in a world where there are a lot of government and other standards that we need to put up with, including GDPR. And so having an environment that is compliant with these government standards and also your potential corporate standards is important to understanding that section.

So we have a lot to get through in this section of the course. So first we're going to talk about network security. Now, one of the fundamental aspects of network security is the concept of a firewall. Now you might know if you have any familiarity with networking within your own environment. The purpose of a firewall is to analyse traffic that is being directed to it and then either reject traffic that doesn't follow the permitted pattern or allow traffic through that does. So here's a diagram taken from the Microsoft site that shows a WAF, which is a Web application firewall. And you can see that a number of requests are being made on the left. Only one valid request has been recognized, and there have been two requests in this case, our SQL injection attacks and cross-site scripting attacks. These are both ways that hackers try to get control of your website. And so the web application firewall can actually detect these common vectors and actually just reject the request. And your website doesn't even get the attempted SQL injection requests. Now on the right, once it goes through the firewall, those requests get sent to the correct location. You might have many different applications and many different URLs, and the load balancer that's represented by the seven levels of load bouncer in the middle would be able to direct the traffic to the right location. So the purpose of the Azure Firewall is to basically block invalid attacks. Now they could be attempts to hack, which are quite obvious, or it could just be making sure that nothing but port 80 gets through if it's a web server, or that the source of the request is on a whitelist, et cetera. There are many different rules that you can apply to your firewall. But having a firewall is one of the essential elements of networking security. So if you're going to have a serious application available to the public, you should consider having an application gateway with a firewall. Another aspect of networking security within Azure that is relatively new is the distributed denial of service attack protection.

Now, you might be familiar with this being abbreviated as DDoS. You might be familiar with distributed denial of service attacks in the real world, outside of the cloud. That's where you have many different sources of an attack that are attempting to overwhelm and take over a resource so that no valid attempts can get through. So you could have 1000 computers infected with a virus and turned into a botnet, all of which are making the same request to the same server at the same time. And with 100,000 hackers essentially occupying locations, those valid requests that your users might be making can get lost in the shuffle. And that's why it's called a denial of service. So essentially, the server becomes overwhelmed. Microsoft offers a distributed denial of service attack option. Now, there's the basic option. This comes with a monitoring package and the ability to do automatic integration for certain attacks based on the network level that they come through. If you use the application gateway that we talked about in the Firewall section, this is what you can get, what's called "level seven protection." That means that you can look at the URL and the type of traffic and be able to say, "Well, we allow people to get to the images directory, but we do not allow people to make requests for the video directory." And you can actually, down to the path of the request, follow some types of rules. The denial of service attack protection is available globally.

Now, if you upgrade from the basic level to standard, you are going to get policies that are tuned to your specific virtual network. You'll receive additional logging alerts and telemetry, and it can basically detect that your resources are consuming a lot of cost. And basically, that becomes a denial of service attack. If someone's making hundreds of thousands of requests to your Azure function and that's outside the normal standard, then they're basically eating into your costs. And so you can use that for denial-of-service attack protection. Now, finally, the other thing that you should know about, and this is the most fundamental form of security protection on a network, is what's called a network security group. Within the Azure Resource Manager model, when you create a network virtual network, you have the option of applying a network security group to that. Now, the network security group is a series of rules that you can apply that allow inbound traffic based on certain rules or prevent outbound traffic based on certain rules. So you could have a front-end concept where all of your webservers live and a back-end concept where all of your application servers or database servers live—anything that isn't public facing to the Internet. And you can see in the diagram on the screen that the MSG icon, the Network Security Group, is placed in front of the subnet level, requiring all traffic to pass through these rules. And you can basically allow traffic to your front endVMs and deny public Internet traffic to your back endVMs, and that would force traffic along a specific path. Another option is to enable your NSG to block all Internet traffic if you have a private network, such as an express routed connection between Azure and your offices.

This effectively prevents the open Internet from accessing your sites and applications, forcing them to go through your corporate network via the express route. So there are many different configurations, but a network security group is a fundamental piece of software that Microsoft allows you to enable that will basically set inbound and outbound rules by which traffic can reach your network. Now, we saw with network security groups that, ultimately, you're defining a rule. And that rule is to protect a destination IP address by number. And so you basically specify that for traffic coming to this IP address and this port, these are the security rules that we want to enforce. But that's not really realistic when you're dealing with hundreds or even thousands and tens of thousands of devices on your networks. So then having to specify network security groups for every single web server, every single database server, and every single machine on your network might become a little burdensome after a while. So Azure has introduced this application security group concept in which you can define the destination by role and not just by IP address. So if you want to create a rule that protects all virtual machines, well, then you can define that rule. If you wanted to find a rule for SQL servers, you can get a different rule. So we can see we've got web servers, application servers, and DB servers, and then when you're defining the network security group role, you can say, "This is the rule for web servers," and you don't have to specify them by a specific IP address. Next up, let's talk about user-defined routes, or UDR. A user-defined route allows you to specify the exact path that some traffic needs to travel over your network. Now, an example of this might be a firewall. So perhaps you've got a physical firewall device on one of the virtual machines, like a Barracuda Firewall that you get from the Azure Marketplace. And you don't want Internet traffic to travel directly to your VMs.

You want it to be forced to go through that firewall device before it can talk to any VM. And in that case, you're going to specify a UDR, a user-defined route, that is going to force traffic to come in through that firewall before it can get to any of your devices. You can also define the traffic outbound so that it has to go through a firewall outbound before it gets to the Internet. Another application for this would be if you want traffic to travel through your corporate network rather than directly from Azure to the Internet. So let's say you have an Expressroute, which is a direct connection between your corporate office and Microsoft Azure. And if any machine within Azure wants to talk to the Internet, you want that traffic to travel over your Express Route gateway and then through the Express Route into your own network and then out to the Internet. And if you want that to happen, you can define that using a UDR. So you can use this to force traffic through a path, either inbound or outbound, or both. The next requirement of the exam is to choose an appropriate Azure security solution. So we just went through a few of the options that Microsoft offers within Azure for securing your network and for securing your applications. There's a lot to do with security, and we're really only scratching the surface here in terms of the specifics, but here are a bunch of general rules that I'm going to suggest to you as being the best practises for choosing security solutions.

First up, all virtual network subnets should use a network security group. So the network security group is the most basic layer for allowing or denying traffic. You should make your network security groups fairly tight. So deny as much traffic as you can from ports and from sources that do not need to be accessing that network, and make it universal that all of your Virtual Network Subnets have an NSG. I look at a network security group as similar to having locks on your doors and windows that you don't use. So if you don't use a port, do not allow traffic into your network on that port. And so there are many other security methods that you need to employ to be totally secure. But this is sort of a basic premise: that you lock the doors that are never used. Now, this denial-of-service attack service that Azure offers—really, you should make your own analysis of whether your network or your application needs it—does cost some money. Not every application is going to get a distributed denial of service attack on it. And sometimes you want to enable that only once you have detected that you are likely to be a target or that you actually have been attacked. That's probably a good policy in terms of the application gateway with firewall access. Of course, if you've got a serious enterprise-grade application, you're going to have to look at firewalls, where security groups are great, but they're not going to be intelligent enough to know what traffic is likely to want to pass through or not. It doesn't have any AI pattern matching; it's not going to alert you if your brute force attack is underway, et cetera. So get yourself a good firewall. There's a concept in security called layered security, or security through layers. As a result, having just one security guard, one layer of defense, is insufficient. If the attacker is able to breach your one layer, they will have complete control over your application and network. What you want to do is ensure that you have layers of security. Later on in this course, we'll go through security in a bit more detail, and we're going to talk about all the different layers and the options that you have for printing security through the different layers. Yeah.

So when looking for preparing, you need Microsoft Certified Azure Fundamentals certification practice test questions and answers, study guide and complete training course to study. Open in Avanset VCE Player & study in real exam environment. However, Microsoft Certified Azure Fundamentals exam practice test questions in VCE format are updated and checked by experts so that you can download Microsoft Certified Azure Fundamentals certification exam practice test questions and answers files in VCE format.