Protect against security threats by using Azure Security Center

Completed100 XP
6 minutes
Tailwind Traders is broadening its use of Azure services. It still has on-premises workloads with
current security-related configuration best practices and business procedures. How does the
company ensure that all of its systems meet a minimum level of security and that its
information is protected from attacks?
Many Azure services include built-in security features. Tools on Azure can also help Tailwind
Traders with this requirement. Let's start by looking at Azure Security Center.
What's Azure Security Center?
Azure Security Center is a monitoring service that provides visibility of your security posture
across all of your services, both on Azure and on-premises. The term security posture refers to
cybersecurity policies and controls, as well as how well you can predict, prevent, and respond
to security threats.
Security Center can:
Monitor security settings across on-premises and cloud workloads.
Automatically apply required security settings to new resources as they come online.
Provide security recommendations that are based on your current configurations, resources,
and networks.
Continuously monitor your resources and perform automatic security assessments to identify
potential vulnerabilities before those vulnerabilities can be exploited.
Use machine learning to detect and block malware from being installed on your virtual
machines (VMs) and other resources. You can also use adaptive application controls to define
rules that list allowed applications to ensure that only applications you allow can run.
Detect and analyze potential inbound attacks and investigate threats and any post-breach
activity that might have occurred.
Provide just-in-time access control for network ports. Doing so reduces your attack surface by
ensuring that the network only allows traffic that you require at the time that you need it to.
This short video explains how Security Center can help harden your networks, secure and
monitor your cloud resources, and improve your overall security posture.
Understand your security posture
Tailwind Traders can use Security Center to get a detailed analysis of different components in
its environment. Because the company's resources are analyzed against the security controls of
any governance policies it has assigned, it can view its overall regulatory compliance from a
security perspective all from one place.
See the following example of what you might see in Azure Security Center.
Let's say that Tailwind Traders must comply with the Payment Card Industry's Data Security
Standard (PCI DSS). This report shows that the company has resources that it needs to
remediate.
In the Resource security hygiene section, Tailwind Traders can see the health of its resources
from a security perspective. To help prioritize remediation actions, recommendations are
categorized as low, medium, and high. Here's an example.

What's secure score?

Secure score is a measurement of an organization's security posture.
Secure score is based on security controls, or groups of related security recommendations. Your
score is based on the percentage of security controls that you satisfy. The more security
controls you satisfy, the higher the score you receive. Your score improves when you remediate
all of the recommendations for a single resource within a control.
Here's an example from the Azure portal showing a score of 57 percent, or 34 out of 60 points.

Following the secure score recommendations can help protect your organization from threats.
From a centralized dashboard in Azure Security Center, organizations can monitor and work on
the security of their Azure resources like identities, data, apps, devices, and infrastructure.
Secure score helps you:
Report on the current state of your organization's security posture.
Improve your security posture by providing discoverability, visibility, guidance, and control.
Compare with benchmarks and establish key performance indicators (KPIs).
Protect against threats
Security Center includes advanced cloud defense capabilities for VMs, network security, and file
integrity. Let's look at how some of these capabilities apply to Tailwind Traders.
Just-in-time VM access Tailwind Traders will configure just-in-time access to VMs. This access
blocks traffic by default to specific network ports of VMs, but allows traffic for a specified time
when an admin requests and approves it.
Adaptive application controls Tailwind Traders can control which applications are allowed to
run on its VMs. In the background, Security Center uses machine learning to look at the
processes running on a VM. It creates exception rules for each resource group that holds the
VMs and provides recommendations. This process provides alerts that inform the company
about unauthorized applications that are running on its VMs.
Adaptive network hardening Security Center can monitor the internet traffic patterns of the
VMs, and compare those patterns with the company's current network security group (NSG)
settings. From there, Security Center can make recommendations about whether the NSGs
should be locked down further and provide remediation steps.
File integrity monitoring Tailwind Traders can also configure the monitoring of changes to
important files on both Windows and Linux, registry settings, applications, and other aspects
that might indicate a security attack.
Respond to security alerts
Tailwind Traders can use Security Center to get a centralized view of all of its security alerts.
From there, the company can dismiss false alerts, investigate them further, remediate alerts
manually, or use an automated response with a workflow automation.
Workflow automation uses Azure Logic Apps and Security Center connectors. The logic app can
be triggered by a threat detection alert or by a Security Center recommendation, filtered by
name or by severity. You can then configure the logic app to run an action, such as sending an
email, or posting a message to a Microsoft Teams channel.
Detect and respond to security threats by using Azure Sentinel
Completed100 XP
4 minutes
Security management on a large scale can benefit from a dedicated security information and
event management (SIEM) system. A SIEM system aggregates security data from many different
sources (as long as those sources support an open-standard logging format). It also provides
capabilities for threat detection and response.
Azure Sentinel is Microsoft's cloud-based SIEM system. It uses intelligent security analytics and
threat analysis.
Azure Sentinel capabilities
Azure Sentinel enables you to:
Collect cloud data at scale Collect data across all users, devices, applications, and infrastructure,
both on-premises and from multiple clouds.
Detect previously undetected threats Minimize false positives by using Microsoft's
comprehensive analytics and threat intelligence.
Investigate threats with artificial intelligence Examine suspicious activities at scale, tapping into
years of cybersecurity experience from Microsoft.
Respond to incidents rapidly Use built-in orchestration and automation of common tasks.
Connect your data sources
Tailwind Traders decides to explore the capabilities of Azure Sentinel. First, the company
identifies and connects its data sources.
Azure Sentinel supports a number of data sources, which it can analyze for security events.
These connections are handled by built-in connectors or industry-standard log formats and
APIs.
Connect Microsoft solutions Connectors provide real-time integration for services like Microsoft
Threat Protection solutions, Microsoft 365 sources (including Office 365), Azure Active
Directory, and Windows Defender Firewall.
Connect other services and solutions Connectors are available for common non-Microsoft
services and solutions, including AWS CloudTrail, Citrix Analytics (Security), Sophos XG Firewall,
VMware Carbon Black Cloud, and Okta SSO.
Connect industry-standard data sources Azure Sentinel supports data from other sources that
use the Common Event Format (CEF) messaging standard, Syslog, or REST API.
Detect threats
Tailwind Traders needs to be notified when something suspicious occurs. It decides to use both
built-in analytics and custom rules to detect threats.
Built in analytics use templates designed by Microsoft's team of security experts and analysts
based on known threats, common attack vectors, and escalation chains for suspicious activity.
These templates can be customized and search across the environment for any activity that
looks suspicious. Some templates use machine learning behavioral analytics that are based on
Microsoft proprietary algorithms.
Custom analytics are rules that you create to search for specific criteria within your
environment. You can preview the number of results that the query would generate (based on
past log events) and set a schedule for the query to run. You can also set an alert threshold.
Investigate and respond
When Azure Sentinel detects suspicious events, Tailwind Traders can investigate specific alerts
or incidents (a group of related alerts). With the investigation graph, the company can review
information from entities directly connected to the alert, and see common exploration queries
to help guide the investigation.
Here's an example that shows what an investigation graph looks like in Azure Sentinel.

The company will also use Azure Monitor Workbooks to automate responses to threats. For
example, it can set an alert that looks for malicious IP addresses that access the network and
create a workbook that does the following steps:
When the alert is triggered, open a ticket in the IT ticketing system.
Send a message to the security operations channel in Microsoft Teams or Slack to make sure
the security analysts are aware of the incident.
Send all of the information in the alert to the senior network admin and to the security admin.
The email message includes two user option buttons: Block or Ignore.
When an admin chooses Block, the IP address is blocked in the firewall, and the user is disabled
in Azure Active Directory. When an admin chooses Ignore, the alert is closed in Azure Sentinel,
and the incident is closed in the IT ticketing system.
The workbook continues to run after it receives a response from the admins.
Workbooks can be run manually or automatically when a rule triggers an alert.
Store and manage secrets by using Azure Key Vault
Completed100 XP
3 minutes
As Tailwind Traders builds its workloads in the cloud, it needs to carefully handle sensitive
information such as passwords, encryption keys, and certificates. This information needs to be
available for an application to function, but it might allow an unauthorized person access to
application data.
Azure Key Vault is a centralized cloud service for storing an application's secrets in a single,
central location. It provides secure access to sensitive information by providing access control
and logging capabilities.
What can Azure Key Vault do?
Azure Key Vault can help you:
Manage secrets You can use Key Vault to securely store and tightly control access to tokens,
passwords, certificates, API keys, and other secrets.
Manage encryption keys You can use Key Vault as a key management solution. Key Vault makes
it easier to create and control the encryption keys that are used to encrypt your data.
Manage SSL/TLS certificates Key Vault enables you to provision, manage, and deploy your
public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for both
your Azure resources and your internal resources.
Store secrets backed by hardware security modules (HSMs) These secrets and keys can be
protected either by software or by FIPS 140-2 Level 2 validated HSMs.
Here's an example that shows a certificate used for testing in Key Vault.

You'll add a secret to Key Vault later in this module.

What are the benefits of Azure Key Vault?
The benefits of using Key Vault include:
Centralized application secrets Centralizing the storage for your application secrets enables you
to control their distribution, and reduces the chances that secrets are accidentally leaked.
Securely stored secrets and keys Azure uses industry-standard algorithms, key lengths, and
HSMs. Access to Key Vault requires proper authentication and authorization.
Access monitoring and access control By using Key Vault, you can monitor and control access to
your application secrets.
Simplified administration of application secrets Key Vault makes it easier to enroll and renew
certificates from public certificate authorities (CAs). You can also scale up and replicate content
within regions and use standard certificate management tools.
Integration with other Azure services You can integrate Key Vault with storage accounts,
container registries, event hubs, and many more Azure services. These services can then
securely reference the secrets stored in Key Vault.
Host your Azure virtual machines on dedicated physical servers by using Azure Dedicated Host
Completed100 XP
2 minutes
On Azure, virtual machines (VMs) run on shared hardware that Microsoft manages. Although
the underlying hardware is shared, your VM workloads are isolated from workloads that other
Azure customers run.
Some organizations must follow regulatory compliance that requires them to be the only
customer using the physical machine that hosts their virtual machines. Azure Dedicated
Host provides dedicated physical servers to host your Azure VMs for Windows and Linux.
Here's a diagram that shows how VMs relate to dedicated hosts and host groups. A dedicated
host is mapped to a physical server in an Azure datacenter. A host group is a collection of
dedicated hosts.

What are the benefits of Azure Dedicated Host?

Azure Dedicated Host:
Gives you visibility into, and control over, the server infrastructure that's running your Azure
VMs.
Helps address compliance requirements by deploying your workloads on an isolated server.
Lets you choose the number of processors, server capabilities, VM series, and VM sizes within
the same host.
Availability considerations for Dedicated Host
After a dedicated host is provisioned, Azure assigns it to the physical server in Microsoft's cloud
datacenter.
For high availability, you can provision multiple hosts in a host group, and deploy your VMs
across this group. VMs on dedicated hosts can also take advantage of maintenance control. This
feature enables you to control when regular maintenance updates occur, within a 35-day rolling
window.
Pricing considerations
You're charged per dedicated host, independent of how many VMs you deploy to it. The host
price is based on the VM family, type (hardware size), and region.
Software licensing, storage, and network usage are billed separately from the host and VMs.
For more information. see Azure Dedicated Host pricing.
What is defense in depth?
Completed100 XP
6 minutes
Tailwind Traders currently runs its workloads on-premises, in its datacenter. Running on-
premises means that the company is responsible for all aspects of security, from physical access
to buildings all the way down to how data travels in and out of the network. The company
wants to know how its current defense-in-depth strategy compares to running in the cloud.
The objective of defense in depth is to protect information and prevent it from being stolen by
those who aren't authorized to access it.
A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack that
aims at acquiring unauthorized access to data.
Layers of defense in depth
You can visualize defense in depth as a set of layers, with the data to be secured at the center.

Each layer provides protection so that if one layer is breached, a subsequent layer is already in
place to prevent further exposure. This approach removes reliance on any single layer of
protection. It slows down an attack and provides alert telemetry that security teams can act
upon, either automatically or manually.
Here's a brief overview of the role of each layer:
The physical security layer is the first line of defense to protect computing hardware in the
datacenter.
The identity and access layer controls access to infrastructure and change control.
The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale
attacks before they can cause a denial of service for users.
The network layer limits communication between resources through segmentation and access
controls.
The compute layer secures access to virtual machines.
The application layer helps ensure that applications are secure and free of security
vulnerabilities.
The data layer controls access to business and customer data that you need to protect.
These layers provide a guideline for you to help make security configuration decisions in all of
the layers of your applications.
Azure provides security tools and features at every level of the defense-in-depth concept. Let's
take a closer look at each layer:

Physical security
Physically securing access to buildings and controlling access to computing hardware within the
datacenter are the first line of defense.
With physical security, the intent is to provide physical safeguards against access to assets. These
safeguards ensure that other layers can't be bypassed, and loss or theft is handled appropriately.
Microsoft uses various physical security mechanisms in its cloud datacenters.

Identity and access

At this layer, it's important to:
Control access to infrastructure and change control.
Use single sign-on (SSO) and multifactor authentication.
Audit events and changes.
The identity and access layer is all about ensuring that identities are secure, access is granted
only to what's needed, and sign-in events and changes are logged.
Perimeter
At this layer, it's important to:
Use DDoS protection to filter large-scale attacks before they can affect the availability of a
system for users.
Use perimeter firewalls to identify and alert on malicious attacks against your network.
At the network perimeter, it's about protecting from network-based attacks against your
resources. Identifying these attacks, eliminating their impact, and alerting you when they happen
are important ways to keep your network secure.

Network
At this layer, it's important to:
Limit communication between resources.
Deny by default.
Restrict inbound internet access and limit outbound access where appropriate.
Implement secure connectivity to on-premises networks.
At this layer, the focus is on limiting the network connectivity across all your resources to allow
only what's required. By limiting this communication, you reduce the risk of an attack spreading
to other systems in your network.
Compute
At this layer, it's important to:
Secure access to virtual machines.
Implement endpoint protection on devices and keep systems patched and current.
Malware, unpatched systems, and improperly secured systems open your environment to attacks.
The focus in this layer is on making sure that your compute resources are secure and that you
have the proper controls in place to minimize security issues.

Application
At this layer, it's important to:
Ensure that applications are secure and free of vulnerabilities.
Store sensitive application secrets in a secure storage medium.
Make security a design requirement for all application development.
Integrating security into the application development lifecycle helps reduce the number of
vulnerabilities introduced in code. Every development team should ensure that its applications
are secure by default.
Data
In almost all cases, attackers are after data:
Stored in a database.
Stored on disk inside virtual machines.
Stored in software as a service (SaaS) applications, such as Office 365.
Managed through cloud storage.
Those who store and control access to data are responsible for ensuring that it's properly secured.
Often, regulatory requirements dictate the controls and processes that must be in place to ensure
the confidentiality, integrity, and availability of the data.
Security posture
Your security posture is your organization's ability to protect from and respond to security
threats. The common principles used to define a security posture are confidentiality, integrity,
and availability, known collectively as CIA.
Confidentiality
The principle of least privilege means restricting access to information only to individuals
explicitly granted access, at only the level that they need to perform their work. This
information includes protection of user passwords, email content, and access levels to
applications and underlying infrastructure.
Integrity
Prevent unauthorized changes to information:
At rest: when it's stored.
In transit: when it's being transferred from one place to another, including from a local
computer to the cloud.
A common approach used in data transmission is for the sender to create a unique fingerprint
of the data by using a one-way hashing algorithm. The hash is sent to the receiver along with
the data. The receiver recalculates the data's hash and compares it to the original to ensure
that the data wasn't lost or modified in transit.
Availability
Ensure that services are functioning and can be accessed only by authorized users. Denial-of-
service attacks are designed to degrade the availability of a system, affecting its users.
Protect virtual networks by using Azure Firewall
Completed100 XP
5 minutes
A firewall is a network security device that monitors incoming and outgoing network traffic and
decides whether to allow or block specific traffic based on a defined set of security rules. You
can create firewall rules that specify ranges of IP addresses. Only clients granted IP addresses
from within those ranges are allowed to access the destination server. Firewall rules can also
include specific network protocol and port information.
Tailwind Traders currently runs firewall appliances, which combine hardware and software, to
protect its on-premises network. These firewall appliances require a monthly licensing fee to
operate, and they require IT staff to perform routine maintenance. As Tailwind Traders moves
to the cloud, the IT manager wants to know what Azure services can protect both the
company's cloud networks and its on-premises networks.
In this part, you explore Azure Firewall.
What's Azure Firewall?
Azure Firewall is a managed, cloud-based network security service that helps protect resources
in your Azure virtual networks. A virtual network is similar to a traditional network that you'd
operate in your own datacenter. It's a fundamental building block for your private network that
enables virtual machines and other compute resources to securely communicate with each
other, the internet, and on-premises networks.
Here's a diagram that shows a basic Azure Firewall implementation:

Azure Firewall is a stateful firewall. A stateful firewall analyzes the complete context of a
network connection, not just an individual packet of network traffic. Azure Firewall features
high availability and unrestricted cloud scalability.
Azure Firewall provides a central location to create, enforce, and log application and network
connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static
(unchanging) public IP address for your virtual network resources, which enables outside
firewalls to identify traffic coming from your virtual network. The service is integrated with
Azure Monitor to enable logging and analytics.
Azure Firewall provides many features, including:
Built-in high availability.
Unrestricted cloud scalability.
Inbound and outbound filtering rules.
Inbound Destination Network Address Translation (DNAT) support.
Azure Monitor logging.
You typically deploy Azure Firewall on a central virtual network to control general network
access.
This short video explains how Azure Firewall monitors incoming and outgoing network traffic
based a defined set of security rules. The video also explains how Azure Firewall compares to
traditional firewall appliances.
What can I configure with Azure Firewall?
With Azure Firewall, you can configure:
Application rules that define fully qualified domain names (FQDNs) that can be accessed from a
subnet.
Network rules that define source address, protocol, destination port, and destination address.
Network Address Translation (NAT) rules that define destination IP addresses and ports to
translate inbound requests.
Azure Application Gateway also provides a firewall that's called the web application
firewall (WAF). WAF provides centralized, inbound protection for your web applications against
common exploits and vulnerabilities. Azure Front Door and Azure Content Delivery
Network also provide WAF services.
Protect from DDoS attacks by using Azure DDoS Protection
Completed100 XP
3 minutes
Any large company can be the target of a large-scale network attack. Tailwind Traders is no
exception. Attackers might flood your network to make a statement or simply for the challenge.
As Tailwind Traders moves to the cloud, it wants to understand how Azure can help prevent
distributed denial of service (DDoS) and other attacks.
In this part, you learn how Azure DDoS Protection (Standard service tier) helps protect your
Azure resources from DDoS attacks. First, let's define what a DDoS attack is.
What are DDoS attacks?
A distributed denial of service attack attempts to overwhelm and exhaust an application's
resources, making the application slow or unresponsive to legitimate users. DDoS attacks can
target any resource that's publicly reachable through the internet, including websites.
What is Azure DDoS Protection?
Azure DDoS Protection (Standard) helps protect your Azure resources from DDoS attacks.
When you combine DDoS Protection with recommended application design practices, you help
provide a defense against DDoS attacks. DDoS Protection uses the scale and elasticity of
Microsoft's global network to bring DDoS mitigation capacity to every Azure region. The DDoS
Protection service helps protect your Azure applications by analyzing and discarding DDoS
traffic at the Azure network edge, before it can affect your service's availability.
This diagram shows network traffic flowing into Azure from both customers and an attacker:

DDoS Protection identifies the attacker's attempt to overwhelm the network and blocks further
traffic from them, ensuring that traffic never reaches Azure resources. Legitimate traffic from
customers still flows into Azure without any interruption of service.
DDoS Protection can also help you manage your cloud consumption. When you run on-
premises, you have a fixed number of compute resources. But in the cloud, elastic computing
means that you can automatically scale out your deployment to meet demand. A cleverly
designed DDoS attack can cause you to increase your resource allocation, which incurs
unneeded expense. DDoS Protection Standard helps ensure that the network load you process
reflects customer usage. You can also receive credit for any costs accrued for scaled-out
resources during a DDoS attack.
What service tiers are available to DDoS Protection?
DDoS Protection provides these service tiers:
Basic
The Basic service tier is automatically enabled for free as part of your Azure subscription.
Always-on traffic monitoring and real-time mitigation of common network-level attacks provide
the same defenses that Microsoft's online services use. The Basic service tier ensures that
Azure infrastructure itself is not affected during a large-scale DDoS attack.
The Azure global network is used to distribute and mitigate attack traffic across Azure regions.
Standard
The Standard service tier provides additional mitigation capabilities that are tuned specifically
to Azure Virtual Network resources. DDoS Protection Standard is relatively easy to enable and
requires no changes to your applications.
The Standard tier provides always-on traffic monitoring and real-time mitigation of common
network-level attacks. It provides the same defenses that Microsoft's online services use.
Protection policies are tuned through dedicated traffic monitoring and machine learning
algorithms. Policies are applied to public IP addresses, which are associated with resources
deployed in virtual networks such as Azure Load Balancer and Application Gateway.
The Azure global network is used to distribute and mitigate attack traffic across Azure regions.
What kinds of attacks can DDoS Protection help prevent?
The Standard service tier can help prevent:
Volumetric attacks
The goal of this attack is to flood the network layer with a substantial amount of seemingly
legitimate traffic.
Protocol attacks
These attacks render a target inaccessible by exploiting a weakness in the layer 3 and layer 4
protocol stack.
Resource-layer (application-layer) attacks (only with web application firewall)
These attacks target web application packets to disrupt the transmission of data between hosts.
You need a web application firewall (WAF) to protect against L7 attacks. DDoS Protection
Standard protects the WAF from volumetric and protocol attacks.
Filter network traffic by using network security groups
Completed100 XP
2 minutes
Although Azure Firewall and Azure DDoS Protection can help control what traffic can come
from outside sources, Tailwind Traders also wants to understand how to protect its internal
networks on Azure. Doing so will give the company an extra layer of defense against attacks.
In this part, you examine network security groups (NSGs).
What are network security groups?
A network security group enables you to filter network traffic to and from Azure resources
within an Azure virtual network. You can think of NSGs like an internal firewall. An NSG can
contain multiple inbound and outbound security rules that enable you to filter traffic to and
from resources by source and destination IP address, port, and protocol.
How do I specify NSG rules?
A network security group can contain as many rules as you need, within Azure subscription
limits. Each rule specifies these properties:
Property Description
Name A unique name for the NSG.
Priority A number between 100 and 4096. Rules are processed in priority order, with lower numbers
higher numbers.
Source or A single IP address or IP address range, service tag, or application security group.
Destination
Protocol TCP, UDP, or Any.
Direction Whether the rule applies to inbound or outbound traffic.
Port Range A single port or range of ports.
Action Allow or Deny.
When you create a network security group, Azure creates a series of default rules to provide a
baseline level of security. You can't remove the default rules, but you can override them by
creating new rules with higher priorities.
Combine Azure services to create a complete network security solution
Completed100 XP
3 minutes
When you're considering an Azure security solution, consider all the elements of defense in
depth.
Here are some recommendations on how to combine Azure services to create a complete
network security solution.
Secure the perimeter layer
The perimeter layer is about protecting your organization's resources from network-based
attacks. Identifying these attacks, alerting the appropriate security teams, and eliminating their
impact are important to keeping your network secure. To do this:
Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service
for users.
Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against
your network.
Secure the network layer
At this layer, the focus is on limiting network connectivity across all of your resources to allow
only what's required. Segment your resources and use network-level controls to restrict
communication to only what's needed.
By restricting connectivity, you reduce the risk of lateral movement throughout your network
from an attack. Use network security groups to create rules that define allowed inbound and
outbound communication at this layer. Here are some recommended practices:
Limit communication between resources by segmenting your network and configuring access
controls.
Deny by default.
Restrict inbound internet access and limit outbound where appropriate.
Implement secure connectivity to on-premises networks.
Combine services
You can combine Azure networking and security services to manage your network security and
provide increased layered protection. Here are two ways you can combine services:
Network security groups and Azure Firewall
Azure Firewall complements the functionality of network security groups. Together, they
provide better defense-in-depth network security.
Network security groups provide distributed network-layer traffic filtering to limit traffic to
resources within virtual networks in each subscription.
Azure Firewall is a fully stateful, centralized network firewall as a service. It provides network-
level and application-level protection across different subscriptions and virtual networks.
Azure Application Gateway web application firewall and Azure Firewall
Web application firewall (WAF) is a feature of Azure Application Gateway that provides your
web applications with centralized, inbound protection against common exploits and
vulnerabilities.
Azure Firewall provides:
Inbound protection for non-HTTP/S protocols (for example, RDP, SSH, and FTP).
Outbound network-level protection for all ports and protocols.
Application-level protection for outbound HTTP/S.
Combining them provides more layers of protection.
Compare authentication and authorization
Completed100 XP
2 minutes
Recall that Tailwind Traders must ensure that only employees can sign in and access its business
applications.
Tailwind Traders also needs to ensure that employees can access only authorized applications.
For example, all employees can access inventory and pricing software, but only store managers
can access payroll and certain accounting software.
Two fundamental concepts that you need to understand when talking about identity and access
are authentication (AuthN) and authorization (AuthZ).
Authentication and authorization both support everything else that happens. They occur
sequentially in the identity and access process.
Let's take a brief look at each.
What is authentication?
Authentication is the process of establishing the identity of a person or service that wants to
access a resource. It involves the act of challenging a party for legitimate credentials and
provides the basis for creating a security principal for identity and access control. It establishes
whether the user is who they say they are.
What is authorization?
Authentication establishes the user's identity, but authorization is the process of establishing
what level of access an authenticated person or service has. It specifies what data they're
allowed to access and what they can do with it.
How are authentication and authorization related?
Here's a diagram that shows the relationship between authentication and authorization:

The identification card represents credentials that the user has to prove their identity (you'll
learn more about the types of credentials later in this module.) Once authenticated,
authorization defines what kinds of applications, resources, and data that user can access.
What is Azure Active Directory?
Completed100 XP
5 minutes
In this part, you learn how Azure Active Directory (Azure AD) provides identity services that
enable your users to sign in and access both Microsoft cloud applications and cloud applications
that you develop. You also learn how Azure AD supports single sign-on (SSO).
Tailwind Traders already uses Active Directory to secure its on-premises environments. The
company doesn't want its users to have a different username and password to remember for
accessing applications and data in the cloud. Can the company integrate its existing Active
Directory instance with cloud identity services to create a seamless experience for its users?
Let's start with how Azure AD compares to Active Directory.
How does Azure AD compare to Active Directory?
Active Directory is related to Azure AD, but they have some key differences.
Microsoft introduced Active Directory in Windows 2000 to give organizations the ability to
manage multiple on-premises infrastructure components and systems by using a single identity
per user.
For on-premises environments, Active Directory running on Windows Server provides an
identity and access management service that's managed by your own organization. Azure AD is
Microsoft's cloud-based identity and access management service. With Azure AD, you control
the identity accounts, but Microsoft ensures that the service is available globally. If you've
worked with Active Directory, Azure AD will be familiar to you.
When you secure identities on-premises with Active Directory, Microsoft doesn't monitor sign-
in attempts. When you connect Active Directory with Azure AD, Microsoft can help protect you
by detecting suspicious sign-in attempts at no extra cost. For example, Azure AD can detect
sign-in attempts from unexpected locations or unknown devices.
Who uses Azure AD?
Azure AD is for:
IT administrators
Administrators can use Azure AD to control access to applications and resources based on their
business requirements.
App developers
Developers can use Azure AD to provide a standards-based approach for adding functionality to
applications that they build, such as adding SSO functionality to an app or enabling an app to
work with a user's existing credentials.
Users
Users can manage their identities. For example, self-service password reset enables users to
change or reset their password with no involvement from an IT administrator or help desk.
Online service subscribers
Microsoft 365, Microsoft Office 365, Azure, and Microsoft Dynamics CRM Online subscribers
are already using Azure AD.
A tenant is a representation of an organization. A tenant is typically separated from other
tenants and has its own identity.
Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an
Azure AD tenant.
Here's a screenshot of what an IT administrator might see in the Azure portal when working
with Active Directory:

What services does Azure AD provide?

Azure AD provides services such as:
Authentication
This includes verifying identity to access applications and resources. It also includes providing
functionality such as self-service password reset, multifactor authentication, a custom list of
banned passwords, and smart lockout services.
Single sign-on
SSO enables you to remember only one username and one password to access multiple
applications. A single identity is tied to a user, which simplifies the security model. As users
change roles or leave an organization, access modifications are tied to that identity, which
greatly reduces the effort needed to change or disable accounts.
Application management
You can manage your cloud and on-premises apps by using Azure AD. Features like Application
Proxy, SaaS apps, the My Apps portal (also called the access panel), and single sign-on provide a
better user experience.
Device management
Along with accounts for individual people, Azure AD supports the registration of devices.
Registration enables devices to be managed through tools like Microsoft Intune. It also allows
for device-based Conditional Access policies to restrict access attempts to only those coming
from known devices, regardless of the requesting user account.
What kinds of resources can Azure AD help secure?
Azure AD helps users access both external and internal resources.
External resources might include Microsoft Office 365, the Azure portal, and thousands of other
software as a service (SaaS) applications.
Internal resources might include apps on your corporate network and intranet, along with any
cloud applications developed within your organization.
What's single sign-on?
Single sign-on enables a user to sign in one time and use that credential to access multiple
resources and applications from different providers.
More identities mean more passwords to remember and change. Password policies can vary
among applications. As complexity requirements increase, it becomes increasingly difficult for
users to remember them. The more passwords a user has to manage, the greater the risk of a
credential-related security incident.
Consider the process of managing all those identities. Additional strain is placed on help desks
as they deal with account lockouts and password reset requests. If a user leaves an
organization, tracking down all those identities and ensuring they are disabled can be
challenging. If an identity is overlooked, this might allow access when it should have been
eliminated.
With SSO, you need to remember only one ID and one password. Access across applications is
granted to a single identity that's tied to the user, which simplifies the security model. As users
change roles or leave an organization, access is tied to a single identity. This change greatly
reduces the effort needed to change or disable accounts. Using SSO for accounts makes it
easier for users to manage their identities and increases your security capabilities.
You'll find resources at the end of this module about how to enable SSO through Azure AD.
How can I connect Active Directory with Azure AD?
Connecting Active Directory with Azure AD enables you to provide a consistent identity
experience to your users.
There are a few ways to connect your existing Active Directory installation with Azure AD.
Perhaps the most popular method is to use Azure AD Connect.
Azure AD Connect synchronizes user identities between on-premises Active Directory and Azure
AD. Azure AD Connect synchronizes changes between both identity systems, so you can use
features like SSO, multifactor authentication, and self-service password reset under both
systems. Self-service password reset prevents users from using known compromised
passwords.
Here's a diagram that shows how Azure AD Connect fits between on-premises Active Directory
and Azure AD:
As Tailwind Traders integrates its existing Active Directory instance with Azure AD, it creates a
consistent access model across its organization. Doing so greatly simplifies its ability to sign in
to different applications, manage changes to user identities and control, and monitor and block
unusual access attempts.
What are multifactor authentication and Conditional Access?
Completed100 XP
4 minutes
Tailwind Traders allows delivery drivers to use their own mobile devices to access scheduling
and logistics applications. Some delivery drivers are permanent employees of Tailwind Traders.
Others work on short-term contract. How can the IT department ensure that an access attempt
is really from a valid Tailwind Traders worker?
In this part, you'll learn about two processes that enable secure authentication: Azure AD Multi-
Factor Authentication and Conditional Access. Let's start with a brief look at what multifactor
authentication is in general.
What's multifactor authentication?
Multifactor authentication is a process where a user is prompted during the sign-in process for
an additional form of identification. Examples include a code on their mobile phone or a
fingerprint scan.
Think about how you sign in to websites, email, or online gaming services. In addition to your
username and password, have you ever needed to enter a code that was sent to your phone? If
so, you've used multifactor authentication to sign in.
Multifactor authentication provides additional security for your identities by requiring two or
more elements to fully authenticate.
These elements fall into three categories:
Something the user knows
This might be an email address and password.
Something the user has
This might be a code that's sent to the user's mobile phone.
Something the user is
This is typically some sort of biometric property, such as a fingerprint or face scan that's used
on many mobile devices.
Multifactor authentication increases identity security by limiting the impact of credential
exposure (for example, stolen usernames and passwords). With multifactor authentication
enabled, an attacker who has a user's password would also need to have possession of their
phone or their fingerprint to fully authenticate.
Compare multifactor authentication with single-factor authentication. Under single-factor
authentication, an attacker would need only a username and password to authenticate.
Multifactor authentication should be enabled wherever possible because it adds enormous
benefits to security.
What's Azure AD Multi-Factor Authentication?
Azure AD Multi-Factor Authentication is a Microsoft service that provides multifactor
authentication capabilities. Azure AD Multi-Factor Authentication enables users to choose an
additional form of authentication during sign-in, such as a phone call or mobile app notification.
These services provide Azure AD Multi-Factor Authentication capabilities:
Azure Active Directory
The Azure Active Directory free edition enables Azure AD Multi-Factor Authentication for
administrators with the global admin level of access, via the Microsoft Authenticator app,
phone call, or SMS code. You can also enforce Azure AD Multi-Factor Authentication for all
users via the Microsoft Authenticator app only, by enabling security defaults in your Azure AD
tenant.
Azure Active Directory Premium (P1 or P2 licenses) allows for comprehensive and granular
configuration of Azure AD Multi-Factor Authentication through Conditional Access policies
(explained shortly).
Multifactor authentication for Office 365
A subset of Azure AD Multi-Factor Authentication capabilities is part of your Office 365
subscription.
For more information on licenses and Azure AD Multi-Factor Authentication capabilities,
see Available versions of Azure AD Multi-Factor Authentication.
What's Conditional Access?
Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to
resources based on identity signals. These signals include who the user is, where the user is,
and what device the user is requesting access from.
Conditional Access helps IT administrators:
Empower users to be productive wherever and whenever.
Protect the organization's assets.
Conditional Access also provides a more granular multifactor authentication experience for
users. For example, a user might not be challenged for second authentication factor if they're at
a known location. However, they might be challenged for a second authentication factor if their
sign-in signals are unusual or they're at an unexpected location.
During sign-in, Conditional Access collects signals from the user, makes decisions based on
those signals, and then enforces that decision by allowing or denying the access request or
challenging for a multifactor authentication response.
Here's a diagram that illustrates this flow:
Here, the signal might be the user's location, the user's device, or the application that the user
is trying to access.
Based on these signals, the decision might be to allow full access if the user is signing in from
their usual location. If the user is signing in from an unusual location or a location that's marked
as high risk, then access might be blocked entirely or possibly granted after the user provides a
second form of authentication.
Enforcement is the action that carries out the decision. For example, the action is to allow
access or require the user to provide a second form of authentication.
When can I use Conditional Access?
Conditional Access is useful when you need to:
Require multifactor authentication to access an application.
You can configure whether all users require multifactor authentication or only certain users,
such as administrators.
You can also configure whether multifactor authentication applies to access from all networks
or only untrusted networks.
Require access to services only through approved client applications.
For example, you might want to allow users to access Office 365 services from a mobile device
as long as they use approved client apps, like the Outlook mobile app.
Require users to access your application only from managed devices.
A managed device is a device that meets your standards for security and compliance.
Block access from untrusted sources, such as access from unknown or unexpected locations.
Conditional Access comes with a What If tool, which helps you plan and troubleshoot your
Conditional Access policies. You can use this tool to model your proposed Conditional Access
policies across recent sign-in attempts from your users to see what the impact would have been
if those policies had been enabled. The What If tool enables you to test your proposed
Conditional Access policies before you implement them.
Where is Conditional Access available?
To use Conditional Access, you need an Azure AD Premium P1 or P2 license. If you have a
Microsoft 365 Business Premium license, you also have access to Conditional Access features.
Control access to cloud resources by using Azure role-based access control
Completed100 XP
4 minutes
When you have multiple IT and engineering teams, how can you control what access they have
to the resources in your cloud environment? It's a good security practice to grant users only the
rights they need to perform their job, and only to the relevant resources.
Instead of defining the detailed access requirements for each individual, and then updating
access requirements when new resources are created, Azure enables you to control access
through Azure role-based access control (Azure RBAC).
Azure provides built-in roles that describe common access rules for cloud resources. You can
also define your own roles. Each role has an associated set of access permissions that relate to
that role. When you assign individuals or groups to one or more roles, they receive all of the
associated access permissions.
How is role-based access control applied to resources?
Role-based access control is applied to a scope, which is a resource or set of resources that this
access applies to.
Here's a diagram that shows the relationship between roles and scopes.

Scopes include:
A management group (a collection of multiple subscriptions).
A single subscription.
A resource group.
A single resource.
Observers, Users managing resources, Admins, and Automated processes illustrate the kinds of
users or accounts that would typically be assigned each of the various roles.
When you grant access at a parent scope, those permissions are inherited by all child scopes.
For example:
When you assign the Owner role to a user at the management group scope, that user can
manage everything in all subscriptions within the management group.
When you assign the Reader role to a group at the subscription scope, the members of that
group can view every resource group and resource within the subscription.
When you assign the Contributor role to an application at the resource group scope, the
application can manage resources of all types within that resource group, but not other
resource groups within the subscription.
When should I use Azure RBAC?
Use Azure RBAC when you need to:
Allow one user to manage VMs in a subscription and another user to manage virtual networks.
Allow a database administrator group to manage SQL databases in a subscription.
Allow a user to manage all resources in a resource group, such as virtual machines, websites,
and subnets.
Allow an application to access all resources in a resource group.
These are just a few examples. You'll find the complete list of built-in roles at the end of this
module.
How is Azure RBAC enforced?
Azure RBAC is enforced on any action that's initiated against an Azure resource that passes
through Azure Resource Manager. Resource Manager is a management service that provides a
way to organize and secure your cloud resources.
You typically access Resource Manager from the Azure portal, Azure Cloud Shell, Azure
PowerShell, and the Azure CLI. Azure RBAC doesn't enforce access permissions at the
application or data level. Application security must be handled by your application.
RBAC uses an allow model. When you're assigned a role, RBAC allows you to perform certain
actions, such as read, write, or delete. If one role assignment grants you read permissions to a
resource group and a different role assignment grants you write permissions to the same
resource group, you have both read and write permissions on that resource group.
Who does Azure RBAC apply to?
You can apply Azure RBAC to an individual person or to a group. You can also apply Azure RBAC
to other special identity types, such as service principals and managed identities. These identity
types are used by applications and services to automate access to Azure resources.
Tailwind Traders has the following teams with an interest in some part of their overall IT
environment:
IT Administrators This team has ultimate ownership of technology assets, both on-premises and
in the cloud. The team requires full control of all resources.
Backup and Disaster Recovery This team is responsible for managing the health of regular
backups and invoking any data or system recoveries.
Cost and Billing People in this team track and report on technology-related spend. They also
manage the organization's internal budgets.
Security Operations This team monitors and responds to any technology-related security
incidents. The team requires ongoing access to log files and security alerts.
How do I manage Azure RBAC permissions?
You manage access permissions on the Access control (IAM) pane in the Azure portal. This pane
shows who has access to what scope and what roles apply. You can also grant or remove access
from this pane.
The following screenshot shows an example of the Access control (IAM) pane for a resource
group. In this example, Alain Charon has been assigned the Backup Operator role for this
resource group.

Prevent accidental changes by using resource locks

Completed100 XP
3 minutes
A resource lock prevents resources from being accidentally deleted or changed.
Even with Azure role-based access control (Azure RBAC) policies in place, there's still a risk that
people with the right level of access could delete critical cloud resources. Think of a resource
lock as a warning system that reminds you that a resource should not be deleted or changed.
For example, at Tailwind Traders, an IT administrator was performing routine cleanup of
unused resources in Azure. The admin accidentally deleted resources that appeared to be
unused. But these resources were critical to an application that's used for seasonal promotions.
How can resource locks help prevent this kind of incident from happening in the future?
How do I manage resource locks?
You can manage resource locks from the Azure portal, PowerShell, the Azure CLI, or from an
Azure Resource Manager template.
To view, add, or delete locks in the Azure portal, go to the Settings section of any
resource's Locks pane in the Azure portal.
Here's an example that shows how to add a resource lock from the Azure portal. You'll apply a
similar resource lock in the next part.

What levels of locking are available?

You can apply locks to a subscription, a resource group, or an individual resource. You can set
the lock level to CanNotDelete or ReadOnly.
CanNotDelete means authorized people can still read and modify a resource, but they can't
delete the resource without first removing the lock.
ReadOnly means authorized people can read a resource, but they can't delete or change the
resource. Applying this lock is like restricting all authorized users to the permissions granted by
the Reader role in Azure RBAC.
How do I delete or change a locked resource?
Although locking helps prevent accidental changes, you can still make changes by following a
two-step process.
To modify a locked resource, you must first remove the lock. After you remove the lock, you
can apply any action you have permissions to perform. This additional step allows the action to
be taken, but it helps protect your administrators from doing something they might not have
intended to do.
Resource locks apply regardless of RBAC permissions. Even if you're an owner of the resource,
you must still remove the lock before you can perform the blocked activity.
Combine resource locks with Azure Blueprints
What if a cloud administrator accidentally deletes a resource lock? If the resource lock is
removed, its associated resources can be changed or deleted.
To make the protection process more robust, you can combine resource locks with Azure
Blueprints. Azure Blueprints enables you to define the set of standard Azure resources that
your organization requires. For example, you can define a blueprint that specifies that a certain
resource lock must exist. Azure Blueprints can automatically replace the resource lock if that
lock is removed.
You'll learn more about Azure Blueprints later in this module.
Exercise - Protect a storage account from accidental deletion by using a resource lock
Completed100 XP
8 minutes
In this exercise, you see how resource locks help prevent accidental deletion of your Azure
resources.
To do so, you create a resource group from the Azure portal. Think of a resource group as a
container for related Azure resources. Then you add a lock to your resource group and verify
that you can't delete the resource group.
You then add a storage account to your resource group and see how the lock from the parent
resource group prevents the storage account from being deleted. A storage account is a
container that groups a set of Azure Storage services together.
Important
You need your own Azure subscription to complete the exercises in this module. If you don't
have an Azure subscription, you can still read along.
Create the resource group
Here you create a resource group that's named my-test-rg.
Go to the Azure portal and sign in.
At the top of the page, select Resource groups.
Select + New. The Create a resource group page appears.
In the Basics tab, fill in the following fields.
Setting
Value
Project details
Subscription
Your Azure subscription
Resource group
my-test-rg
Resource details
Region
(US) East US
You can also select a region that's closer to you.
Select Review + create, and then select Create.
Add a lock to the resource group
Add a resource lock to the resource group. To do so:
From the Azure portal, select your resource group, my-test-rg.
Under Settings, select Locks, and then select Add.

Fill in these fields.

Setting
Value
Lock name
rg-delete-lock
Lock type
Delete
Select OK. You see that the resource lock is applied to your resource group.

Verify that the resource group is protected from deletion

Here, you verify protection by attempting to delete the resource group.
From the top of the page, select my-test-rg to go to your resource group's overview page.

Select Delete resource group.

At the prompt, enter my-test-rg, and then select OK. You see a message that tells you that the
resource group is locked and can't be deleted.

Protect a storage account from accidental deletion

Here, you add a storage account to your resource group and see how the lock from the parent
resource group prevents the storage account from being deleted. To do so:
From the Azure portal, at the top of the page, select Home to return to the start page.
Select Storage accounts. Then select + New. The Create storage account page appears.
In the Basics tab, fill in the following fields.
Note
Replace NNN with a series of numbers. The numbers help to ensure that your storage account
name is unique.
Setting
Value
Project details
Subscription
Your Azure subscription
Resource group
my-test-rg
Instance details
Storage account name
mysaNNN
Location
(US) East US
Performance
Standard
Account kind
StorageV2 (general purpose v2)
Replication
Locally redundant storage (LRS)
As before, you can also select a region that's closer to you.
Select Review + create, and then select Create. The deployment might take a few moments to
complete.
Select Go to resource.
At the top of the page, select Delete.

You see a message that tells you the resource or its parent is locked and can't be deleted.
Here's an example that shows the error message for a storage account that's named mysa1234.

Although you didn't create a lock specifically for the storage account, the lock you created for
the parent resource group prevents you from deleting the resource. In other words, the storage
account inherits the lock from the parent resource group.
Delete the resource group and the storage account
You no longer need your resource group or storage account. Here you remove both.
When you delete a resource group, you also delete its child resources, such as the storage
account you previously created.
To delete the resource group, you first need to remove the resource lock.
From the Azure portal, select Home > Resource groups > my-test-rg to go to your resource
group.
Under Settings, select Locks.
Locate rg-delete-lock, and select Delete on that same row.
Select Overview, and then select Delete resource group.
At the prompt, enter my-test-rg, and then select OK. The deletion operation might take a few
moments to complete.
When the operation completes, select Home > Resource groups. You see that the my-test-
rg resource group no longer exists in your account. Your storage account is also deleted.
Nice work. You can now apply resource locks to help prevent the accidental deletion of your
Azure resources.
Organize your Azure resources by using tags
Completed100 XP
3 minutes
As your cloud usage grows, it's increasingly important to stay organized. A good organization
strategy helps you understand your cloud usage and can help you manage costs.
For example, as Tailwind Traders prototypes new ways to deploy its applications on Azure, it
needs a way to mark its test environments so that it can easily identify and delete resources in
these environments when they're no longer needed.
One way to organize related resources is to place them in their own subscriptions. You can also
use resource groups to manage related resources. Resource tags are another way to organize
resources. Tags provide extra information, or metadata, about your resources. This metadata is
useful for:
Resource management Tags enable you to locate and act on resources that are associated with
specific workloads, environments, business units, and owners.
Cost management and optimization Tags enable you to group resources so that you can report
on costs, allocate internal cost centers, track budgets, and forecast estimated cost.
Operations management Tags enable you to group resources according to how critical their
availability is to your business. This grouping helps you formulate service-level agreements
(SLAs). An SLA is an uptime or performance guarantee between you and your users.
Security Tags enable you to classify data by its security level, such as public or confidential.
Governance and regulatory compliance Tags enable you to identify resources that align with
governance or regulatory compliance requirements, such as ISO 27001. Tags can also be part of
your standards enforcement efforts. For example, you might require that all resources be
tagged with an owner or department name.
Workload optimization and automation Tags can help you visualize all of the resources that
participate in complex deployments. For example, you might tag a resource with its associated
workload or application name and use software such as Azure DevOps to perform automated
tasks on those resources.
How do I manage resource tags?
You can add, modify, or delete resource tags through PowerShell, the Azure CLI, Azure
Resource Manager templates, the REST API, or the Azure portal.
You can also manage tags by using Azure Policy. For example, you can apply tags to a resource
group, but those tags aren't automatically applied to the resources within that resource group.
You can use Azure Policy to ensure that a resource inherits the same tags as its parent resource
group. You'll learn more about Azure Policy later in this module.
You can also use Azure Policy to enforce tagging rules and conventions. For example, you can
require that certain tags be added to new resources as they're provisioned. You can also define
rules that reapply tags that have been removed.
An example tagging structure
A resource tag consists of a name and a value. You can assign one or more tags to each Azure
resource.
After reviewing its business requirements, Tailwind Traders decides on the following tags.
Name
Value
AppName
The name of the application that the resource is part of.
CostCenter
The internal cost center code.
Owner
The name of the business owner who's responsible for the resource.
Environment
An environment name, such as "Prod," "Dev," or "Test."
Impact
How important the resource is to business operations, such as "Mission-critical," "High-impact,"
or "Low-impact."
Here's an example that shows these tags as they're applied to a virtual machine during
provisioning.

The Tailwind Traders team can run queries, for example, from PowerShell or the Azure CLI, to
list all resources that contain these tags.
Keep in mind that you don't need to enforce that a specific tag is present on all of your
resources. For example, you might decide that only mission-critical resources have
the Impact tag. All non-tagged resources would then not be considered as mission-critical.
Control and audit your resources by using Azure Policy
Completed100 XP
5 minutes
In a previous exercise in this module, you identified your governance and business
requirements. How do you ensure that your resources stay compliant? Can you be alerted if a
resource's configuration has changed?
Azure Policy is a service in Azure that enables you to create, assign, and manage policies that
control or audit your resources. These policies enforce different rules across all of your resource
configurations so that those configurations stay compliant with corporate standards.
How does Azure Policy define policies?
Azure Policy enables you to define both individual policies and groups of related policies,
known as initiatives. Azure Policy evaluates your resources and highlights resources that aren't
compliant with the policies you've created. Azure Policy can also prevent noncompliant
resources from being created.
Azure Policy comes with built-in policy and initiative definitions for Storage, Networking,
Compute, Security Center, and Monitoring. For example, if you define a policy that allows only a
certain SKU (stock-keeping unit) size for the virtual machines (VMs) to be used in your
environment, that policy is invoked when you create a new VM and whenever you resize
existing VMs. Azure Policy also evaluates and monitors all current VMs in your environment.
In some cases, Azure Policy can automatically remediate noncompliant resources and
configurations to ensure the integrity of the state of the resources. For example, if all resources
in a certain resource group should be tagged with AppName tag and a value of "SpecialOrders,"
Azure Policy will automatically reapply that tag if it was missing.
Azure Policy also integrates with Azure DevOps by applying any continuous integration and
delivery pipeline policies that pertain to the pre-deployment and post-deployment phases of
your applications.
Azure Policy in action
Implementing a policy in Azure Policy involves three tasks:
Create a policy definition.
Assign the definition to resources.
Review the evaluation results.
Let's examine each step in more detail.
Task 1. Create a policy definition
A policy definition expresses what to evaluate and what action to take. For example, you could
prevent VMs from being deployed in certain Azure regions. You also could audit your storage
accounts to verify that they only accept connections from allowed networks.
Every policy definition has conditions under which it's enforced. A policy definition also has an
accompanying effect that takes place when the conditions are met. Here are some example
policy definitions:
Allowed virtual machine SKUs This policy enables you to specify a set of VM SKUs that your
organization can deploy.
Allowed locations This policy enables you to restrict the locations that your organization can
specify when it deploys resources. Its effect is used to enforce your geographic compliance
requirements.
MFA should be enabled on accounts with write permissions on your subscription This policy
requires that multifactor authentication (MFA) be enabled for all subscription accounts with
write privileges to prevent a breach of accounts or resources.
CORS should not allow every resource to access your web applications Cross-origin resource
sharing (CORS) is an HTTP feature that enables a web application running under one domain to
access resources in another domain. For security reasons, modern web browsers restrict cross-
site scripting by default. This policy allows only required domains to interact with your web app.
System updates should be installed on your machines This policy enables Azure Security Center
to recommend missing security system updates on your servers.
Task 2. Assign the definition to resources
To implement your policy definitions, you assign definitions to resources. A policy assignment is
a policy definition that takes place within a specific scope. This scope could be a management
group (a collection of multiple subscriptions), a single subscription, or a resource group.
Policy assignments are inherited by all child resources within that scope. If a policy is applied to
a resource group, that policy is applied to all resources within that resource group. You can
exclude a subscope from the policy assignment if there are specific child resources you need to
be exempt from the policy assignment.
Task 3. Review the evaluation results
When a condition is evaluated against your existing resources, each resource is marked as
compliant or noncompliant. You can review the noncompliant policy results and take any action
that's needed.
Policy evaluation happens about once per hour. If you make changes to your policy definition
and create a policy assignment, that policy is evaluated over your resources within the hour.
What are Azure Policy initiatives?
An Azure Policy initiative is a way of grouping related policies together. The initiative definition
contains all of the policy definitions to help track your compliance state for a larger goal.
For example, Azure Policy includes an initiative named Enable Monitoring in Azure Security
Center. Its goal is to monitor all of the available security recommendations for all Azure
resource types in Azure Security Center.
Under this initiative, the following policy definitions are included:
Monitor unencrypted SQL Database in Security Center This policy monitors for unencrypted SQL
databases and servers.
Monitor OS vulnerabilities in Security Center This policy monitors servers that don't satisfy the
configured OS vulnerability baseline.
Monitor missing Endpoint Protection in Security Center This policy monitors for servers that
don't have an installed endpoint protection agent.
In fact, the Enable Monitoring in Azure Security Center initiative contains over 100 separate
policy definitions.
Azure Policy also includes initiatives that support regulatory compliance standards, such as
HIPAA and ISO 27001.
How do I define an initiative?
You define initiatives by using the Azure portal or command-line tools. From the Azure portal,
you can search the list of built-in initiatives that are built into Azure. You also can create your
own custom policy definition.
The following image shows a few example Azure Policy initiatives in the Azure portal.
How do I assign an initiative?
Like a policy assignment, an initiative assignment is an initiative definition that's assigned to a
specific scope of a management group, a subscription, or a resource group.
Even if you have only a single policy, an initiative enables you to increase the number of policies
over time. Because the associated initiative remains assigned, it's easier to add and remove
policies without the need to change the policy assignment for your resources.
Exercise - Restrict deployments to a specific location by using Azure Policy
Completed100 XP
8 minutes
In this exercise, you create a policy in Azure Policy that restricts the deployment of Azure
resources to a specific location. You verify the policy by attempting to create a storage account
in a location that violates the policy.
Tailwind Traders wants to limit the location where resources can be deployed to the East
US region. It has two reasons:
Improved cost tracking To track costs, Tailwind Traders uses different subscriptions to track
deployments to each of its regional locations. The policy will ensure that all resources are
deployed to the East US region.
Adhere to data residency and security compliance Tailwind Traders must adhere to a
compliance rule that states where customer data can be stored. Here, customer data must be
stored in the East US region.
Recall that you can assign a policy to a management group, a single subscription, or a resource
group. Here, you assign the policy to a resource group so that policy doesn't affect any other
resources in your Azure subscription.
Important
You need your own Azure subscription to complete the exercises in this module. If you don't
have an Azure subscription, you can still read along.
Create the resource group
Here you create a resource group that's named my-test-rg. This is the resource group to which
you'll apply your location policy.
For learning purposes, you use the same resource group name that you used in the previous
exercise. You can use the same name because you deleted the previous resource group.
Go to the Azure portal, and sign in.
Select Create a resource.
Enter resource group in the search box, and press Enter.
If you're taken to a search results pane, select Resource group from the results.
Select Create. Then, enter the following values for each setting.
Setting
Value
Subscription
(Your Azure subscription)
Subscription > Resource group
my-test-rg
Region
(US) East US
Select Review + create, and then select Create.
Explore predefined policies
Before you configure your location policy, let's take a brief look at some predefined policies. As
an example, you'll look at policies that relate to Azure Compute services.
From the Azure portal, at the top of the page, select Home to return to the start page.
At the top of the page, enter policy in the search bar. Then, select Policy from the list of results
to access Azure Policy.
Under Authoring, select Definitions.
From the Category dropdown list, select only Compute. Notice that the Allowed virtual machine
SKUs definition enables you to specify a set of virtual machine SKUs that your organization can

deploy.
As an optional step, explore any other policies or categories that interest you.
Configure the location policy
Here you configure the allowed location policy by using Azure Policy. Then you assign that
policy to your resource group. To do so:
From the Policy pane, under Authoring, select Assignments.
An assignment is a policy that has been assigned to take place within a specific scope. For
example, a definition could be assigned to the subscription scope.
Select Assign Policy.

You're taken to the Assign policy pane.

Under Scope, select the ellipsis.
From the dialog box that appears, set:
Subscription field to your Azure subscription.
Resource Group field to my-test-rg.
Select Select.
Under Policy definition, select the ellipsis.
In the search bar, enter location.
Select the Allowed locations definition.
Select Select.

This policy definition specifies the location into which all resources must be deployed. If a
different location is chosen, deployment will fail.
Select Next to move to the Parameters tab.
From the Allowed locations dropdown list, select East US.
Select Review + create, and then select Create.
You see that the Allowed locations policy assignment is now listed on the Policy |
Assignments pane. It enforces the policy on the my-test-rg resource group.

Verify the location policy

Here you attempt to add a storage account to your resource group at a location that violates
your location policy.
From the Azure portal, at the top of the page, select Home to return to the start page.
Select Create a resource.
Enter storage account in the search box, and press Enter.
If you're taken to a search results pane, select Storage account from the results.
Select Create. Then, enter the following values for each setting.
Note
Replace NNN with a series of numbers. Numbers help to ensure that your storage account
name is unique.
Setting
Value
Subscription
(Your Azure subscription)
Subscription > Resource group
my-test-rg
Storage account name
mysaNNN
Location
(Asia Pacific) Japan East
Performance
Standard
Account kind
StorageV2 (general purpose v2)
Redundancy
Locally redundant storage (LRS)
Access tier (default)
Hot
If you previously selected Japan East in your location policy, select a different region from the
list.
Select Review + create, and then select Create.
You see a message that states that the deployment failed because of the policy violation. You
also see the deployment details.
Here's an example that shows the deployment details for a storage account named mysa1234.

Delete the policy assignment

You no longer need your policy assignment. Here you remove it from your subscription.
From the Azure portal, select Home > Policy.
Under Authoring, select Assignments.
On the Allowed locations row, select the ellipsis. Then, select Delete assignment. When

prompted, select Yes.

You see that the Allowed locations policy assignment no longer exists.
As an optional step, you can try to create the storage account a second time to verify that the
policy is no longer in effect.
Delete the resource group
You no longer need your resource group. Here you remove it from your subscription.
From the Azure portal, select Home > Resource groups > my-test-rg to go to your resource
group.
Select Overview, and then select Delete resource group.
At the prompt, enter my-test-rg, and then select OK. The deletion operation might take a few
moments to complete.
After the operation completes, select Home > Resource groups. You see that the my-test-
rg resource group no longer exists in your account.
Great work! You've successfully applied a policy by using Azure Policy to restrict deployments of
Azure resources to specific locations. You can now apply the policies that you need at the
management group, subscription, or resource group level.
Govern multiple subscriptions by using Azure Blueprints
Completed100 XP
4 minutes
So far, you've explored a number of Azure features that can help you implement your
governance decisions, monitor the compliance of your cloud resources, and control access and
protect critical resources from accidental deletion.
What happens when your cloud environment starts to grow beyond just one subscription? How
can you scale the configuration of these features, knowing they need to be enforced for
resources in new subscriptions?
Instead of having to configure features like Azure Policy for each new subscription, with Azure
Blueprints you can define a repeatable set of governance tools and standard Azure resources
that your organization requires. In this way, development teams can rapidly build and deploy
new environments with the knowledge that they're building within organizational compliance
with a set of built-in components that speed the development and deployment phases.
Azure Blueprints orchestrates the deployment of various resource templates and other
artifacts, such as:
Role assignments
Policy assignments
Azure Resource Manager templates
Resource groups
Azure Blueprints in action
When you form a cloud center of excellence team or a cloud custodian team, that team can use
Azure Blueprints to scale their governance practices throughout the organization.
Implementing a blueprint in Azure Blueprints involves these three steps:
Create an Azure blueprint.
Assign the blueprint.
Track the blueprint assignments.
With Azure Blueprints, the relationship between the blueprint definition (what should be
deployed) and the blueprint assignment (what was deployed) is preserved. In other words,
Azure creates a record that associates a resource with the blueprint that defines it. This
connection helps you track and audit your deployments.
Blueprints are also versioned. Versioning enables you to track and comment on changes to your
blueprint.
What are blueprint artifacts?
Each component in the blueprint definition is known as an artifact.
It is possible for artifacts to have no additional parameters (configurations). An example is
the Deploy threat detection on SQL servers policy, which requires no additional configuration.
Artifacts can also contain one or more parameters that you can configure. The following
screenshot shows the Allowed locations policy. This policy includes a parameter that specifies
the allowed locations.

You can specify a parameter's value when you create the blueprint definition or when you
assign the blueprint definition to a scope. In this way, you can maintain one standard blueprint
but have the flexibility to specify the relevant configuration parameters at each scope where
the definition is assigned.
How will Tailwind Traders use Azure Blueprints for ISO 27001
compliance?
ISO 27001 is a standard that applies to the security of IT systems, published by the International
Organization for Standardization. As part of its quality process, Tailwind Traders wants to certify
that it complies with this standard. Azure Blueprints has several built-in blueprint definitions
that relate to ISO 27001.
As an IT administrator, you decide to investigate the ISO 27001: Shared Services
Blueprint definition. Here's an outline of your plan.
Define a management group that's named PROD-MG. Recall that a management group
manages access, policies, and compliance across multiple Azure subscriptions. Every new Azure
subscription is added to this management group when the subscription is created.
Create a blueprint definition that's based on the ISO 27001: Shared Services Blueprint template.
Then publish the blueprint.
Assign the blueprint to your PROD-MG management group.
The following image shows artifacts that are created when you run an ISO 27001 blueprint from
a template.

You see that the blueprint template contains policy assignments, Resource Manager templates,
and resource groups. The blueprint deploys these artifacts to any existing subscriptions within
the PROD-MG management group. The blueprint also deploys these artifacts to any new
subscriptions as they're created and added to the management group.
Accelerate your cloud adoption journey by using the Cloud Adoption Framework for Azure
Completed100 XP
3 minutes
The Cloud Adoption Framework for Azure provides you with proven guidance to help with your
cloud adoption journey. The Cloud Adoption Framework helps you create and implement the
business and technology strategies needed to succeed in the cloud.
Tailwind Traders needs to control its cloud environment so that it complies with several
industry standards, but it's not sure where to start. It has existing business requirements, and it
understands how these requirements relate to its on-premises workloads. These requirements
also must be met by any workloads it runs in the cloud.
You've been tasked with investigating what's available on Azure and to define and implement
the governance strategy for Tailwind Traders. You decide to start with the Cloud Adoption
Framework.
What's in the Cloud Adoption Framework?
As mentioned in the video, Cloud Adoption Framework consists of tools, documentation, and
proven practices. The Cloud Adoption Framework includes these stages:
Define your strategy.
Make a plan.
Ready your organization.
Adopt the cloud.
Govern and manage your cloud environments.

The govern stage focuses on cloud governance. You can refer back to the Cloud Adoption
Framework for recommended guidance as you build your cloud governance strategy.
To help build your adoption strategy, the Cloud Adoption Framework breaks out each stage into
further exercises and steps. Let's take a brief look at each stage.
Define your strategy
Here, you answer why you're moving to the cloud and what you want to get out of cloud
migration. Do you need to scale to meet demand or reach new markets? Will it reduce costs or
increase business agility? When you define your cloud business strategy, you should
understand cloud economics and consider business impact, turnaround time, global reach,
performance, and more.
Here are the steps in this stage.

Define and document your motivations: Meeting with stakeholders and leadership can help you
answer why you're moving to the cloud.

Document business outcomes: Meet with leadership from your finance, marketing, sales, and
human resource groups to help you document your goals.
Evaluate financial considerations: Measure objectives and identify the return expected from a
specific investment.

Understand technical considerations: Evaluate those technical considerations through the

selection and completion of your first technical project.
Make a plan
Here, you build a plan that maps your aspirational goals to specific actions. A good plan helps
ensure that your efforts map to the desired business outcomes.
Here are the steps in this stage.
Digital estate: Create an inventory of the existing digital assets and workloads that you plan to
migrate to the cloud.
Initial organizational alignment: Ensure that the right people are involved in your migration
efforts, both from a technical standpoint as well as from a cloud governance standpoint.

Skills readiness plan: Build a plan that helps individuals build the skills they need to operate in
the cloud.
Cloud adoption plan: Build a comprehensive plan that brings together the development,
operations, and business teams toward a shared cloud adoption goal.

Ready your organization

Here, you create a landing zone, or an environment in the cloud to begin hosting your
workloads.
Here are the steps in this stage.
Azure setup guide: Review the Azure setup guide to become familiar with the tools and
approaches you need to use to create a landing zone.

Azure landing zone: Begin to build out the Azure subscriptions that support each of the major
areas of your business. A landing zone includes cloud infrastructure as well as governance,
accounting, and security capabilities.
Expand the landing zone: Refine your landing zone to ensure that it meets your operations,
governance, and security needs.

Best practices: Start with recommended and proven practices to help ensure that your cloud
migration efforts are scalable and maintainable.
Adopt the cloud
Here, you begin to migrate your applications to the cloud. Along the way, you might find ways
to modernize your applications and build innovative solutions that use cloud services.
The Cloud Adoption Framework breaks this stage into two parts: migrate and innovate.
Migrate: Here are the steps in the migrate part of this stage.
Migrate your first workload: Use the Azure migration guide to deploy your first project to the
cloud.
Migration scenarios: Use additional in-depth guides to explore more complex migration
scenarios.

Best practices: Check in with the Azure cloud migration best practices checklist to verify that
you're following recommended practices.
Process improvements: Identify ways to make the migration process scale while requiring less
effort.

Innovate: Here are the steps in the innovate part of this stage.
Business value consensus: Verify that investments in new innovations add value to the business
and meet customer needs.

Azure innovation guide: Use this guide to accelerate development and build a minimum viable
product (MVP) for your idea.

Best practices: Verify that your progress maps to recommended practices before you move
forward.
Feedback loops: Check in frequently with your customers to verify that you're building what
they need.
Govern and manage your cloud environments
Here, you begin to form your cloud governance and cloud management strategies. As the cloud
estate changes over time, so do cloud governance processes and policies. You need to create
resilient solutions that are constantly optimized.
Govern: Here are the steps in the govern part of this stage.
Methodology: Consider your end state solution. Then define a methodology that incrementally
takes you from your first steps all the way to full cloud governance.

Benchmark: Use the governance benchmark tool to assess your current state and future state to
establish a vision for applying the framework.
Initial governance foundation: Create an MVP that captures the first steps of your governance
plan.

Improve the initial governance foundation: Iteratively add governance controls that address
tangible risks as you progress toward your end state solution.
Manage: Here are the steps in the manage part of this stage.

Establish a management baseline: Define your minimum commitment to operations

management. A management baseline is the minimum set of tools and processes that should be
applied to every asset in an environment.
Define business commitments: Document supported workloads to establish operational
commitments with the business and agree on cloud management investments for each workload.

Expand the management baseline: Apply recommended best practices to iterate on your initial
management baseline.
Advanced operations and design principles: For workloads that require a higher level of business
commitment, perform a deeper architecture review to deliver on your resiliency and reliability
commitments.
Create a subscription governance strategy
Completed100 XP
3 minutes
At the beginning of any cloud governance implementation, you identify a cloud organization
structure that meets your business needs. This step often involves forming a cloud center of
excellence team (also called a cloud enablement team or a cloud custodian team). This team is
empowered to implement governance practices from a centralized location for the entire
organization.
Teams often start their Azure governance strategy at the subscription level. There are three
main aspects to consider when you create and manage subscriptions: billing, access control,
and subscription limits.
Let's look at each of these aspects in more detail.
Billing
You can create one billing report per subscription. If you have multiple departments and need
to do a "chargeback" of cloud costs, one possible solution is to organize subscriptions by
department or by project.
Resource tags can also help. You'll explore tags later in this module. When you define how
many subscriptions you need and what to name them, take into account your internal billing
requirements.
Access control
A subscription is a deployment boundary for Azure resources. Every subscription is associated
with an Azure Active Directory tenant. Each tenant provides administrators the ability to set
granular access through defined roles by using Azure role-based access control.
When you design your subscription architecture, consider the deployment boundary factor. For
example, do you need separate subscriptions for development and for production
environments? With separate subscriptions, you can control access to each one separately and
isolate their resources from one another.
Subscription limits
Subscriptions also have some resource limitations. For example, the maximum number of
network Azure ExpressRoute circuits per subscription is 10. Those limits should be considered
during your design phase. If you'll need to exceed those limits, you might need to add more
subscriptions. If you hit a hard limit maximum, there's no flexibility to increase it.
Management groups are also available to assist with managing subscriptions. A management
group manages access, policies, and compliance across multiple Azure subscriptions. You'll
learn more about management groups later in this module.
Explore compliance terms and requirements
Completed100 XP
5 minutes
In this unit, you learn about the types of compliance offerings that are available on Azure.
As Tailwind Traders moves to running its applications in the cloud, it wants to know how Azure
adheres to applicable regulatory compliance frameworks. The company asks:
How compliant is Azure when it comes to handling personal data?
How compliant are each of Azure's individual services?
Microsoft's online services build upon a common set of regulatory and compliance controls.
Think of a control as a known good standard that you can compare your solution against to
ensure security. These controls address today's regulations and adapt as regulations evolve.
Which compliance categories are available on Azure?
Although there are many more, the following image shows some of the more popular
compliance offerings that are available on Azure. These offerings are grouped under four
categories: Global, US Government, Industry, and Regional.

To get a sense of the variety of the compliance offerings available on Azure, let's take a closer
look at a few of them.
While not all of these compliance offerings will be relevant to you or your team, they show that
Microsoft's commitment to compliance is comprehensive, ongoing, and independently tested
and verified.
Criminal Justice Information Service
Any US state or local agency that wants to access the FBI's Criminal Justice Information Services
(CJIS) database is required to adhere to the CJIS Security Policy.
Azure is the only major cloud provider that contractually commits to conformance with the CJIS
Security Policy. Microsoft adheres to the same requirements that law enforcement and public
safety entities must meet.
Cloud Security Alliance STAR Certification
Azure, Intune, and Microsoft Power BI have obtained Cloud Security Alliance (CSA) STAR
Certification, which involves a rigorous independent third-party assessment of a cloud
provider's security posture.
STAR Certification is based on achieving International Organization of Standards/International
Electrotechnical Commission (ISO/IEC) 27001 certification and meeting criteria specified in the
Cloud Controls Matrix (CCM). This certification demonstrates that a cloud service provider:
Conforms to the applicable requirements of ISO/IEC 27001.
Has addressed issues critical to cloud security as outlined in the CCM.
Has been assessed against the STAR Capability Maturity Model for the management of activities
in CCM control areas.
European Union Model Clauses
Microsoft offers customers European Union (EU) Standard Contractual Clauses that provide
contractual guarantees around transfers of personal data outside of the EU.
Microsoft is the first company to receive joint approval from the EU's Article 29 Working Party
that the contractual privacy protections Azure delivers to its enterprise cloud customers meet
current EU standards for international transfers of data. Meeting this standard ensures that
Azure customers can use Microsoft services to move data freely through Microsoft's cloud,
from Europe to the rest of the world.
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that
regulates patient Protected Health Information (PHI).
Azure offers customers a HIPAA Business Associate Agreement (BAA), which stipulates
adherence to certain security and privacy provisions in HIPAA and the HITECH Act. To assist
customers in their individual compliance efforts, Microsoft offers a BAA to Azure customers as a
contract addendum.
International Organization of Standards/International Electrotechnical Commission
27018
Microsoft is the first cloud provider to have adopted the ISO/IEC 27018 code of practice, which
covers the processing of personal information by cloud service providers.
Multi-Tier Cloud Security Singapore
After rigorous assessments conducted by the Multi-Tier Cloud Security (MTCS) Certification
Body, Microsoft cloud services received MTCS 584:2013 Certification across all three service
classifications:
Infrastructure as a service (IaaS)
Platform as a service (PaaS)
Software as a service (SaaS)
Microsoft is the first global cloud solution provider to receive this certification across all three
classifications.
Service Organization Controls 1, 2, and 3
Microsoft-covered cloud services are audited at least annually against the Service Organization
Controls (SOC) report framework by independent third-party auditors.
The Microsoft cloud services audit covers controls for data security, availability, processing
integrity, and confidentiality as applicable to in-scope trust principles for each service.
National Institute of Standards and Technology Cybersecurity Framework
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a
voluntary framework that consists of standards, guidelines, and best practices to manage
cybersecurity-related risks.
Microsoft cloud services have undergone independent, third-party Federal Risk and
Authorization Management Program (FedRAMP) Moderate and High Baseline audits. Microsoft
cloud services certified according to the FedRAMP standards.
Additionally, through a validated assessment performed by the Health Information Trust
Alliance (HITRUST), a leading security and privacy standards development and accreditation
organization, Office 365 is certified to the objectives specified in the NIST CSF.
United Kingdom Government G-Cloud
The United Kingdom (UK) Government G-Cloud is a cloud computing certification for services
used by government entities in the United Kingdom. Azure has received official accreditation
from the UK government.
Access the Microsoft Privacy Statement, the Online Services Terms, and the Data Protection Addendum
Completed100 XP
3 minutes
In this part, you learn how the Microsoft Privacy Statement, the Online Services Terms, and the
Data Protection Addendum explain the personal data Microsoft collects, how Microsoft uses it,
and for what purposes.
For Tailwind Traders, understanding Microsoft's commitment to privacy helps ensure that their
customer and application data will be protected.
Watch the following video to see an overview on how Microsoft runs on trust.
Let's continue with a brief look at the Microsoft Privacy Statement and where to find it.
What's in the Microsoft Privacy Statement?
The Microsoft Privacy Statement explains what personal data Microsoft collects, how Microsoft
uses it, and for what purposes.
The privacy statement covers all of Microsoft's services, websites, apps, software, servers, and
devices. This list ranges from enterprise and server products to devices that you use in your
home to software that students use at school.
Microsoft's privacy statement also provides information that's relevant to specific products
such as Windows and Xbox.
What's in the Online Services Terms?
The Online Services Terms (OST) is a legal agreement between Microsoft and the customer. The
OST details the obligations by both parties with respect to the processing and security of
customer data and personal data. The OST applies specifically to Microsoft's online services that
you license through a subscription, including Azure, Dynamics 365, Office 365, and Bing Maps.
What is the Data Protection Addendum?
The Data Protection Addendum (DPA) further defines the data processing and security terms
for online services. These terms include:
Compliance with laws.
Disclosure of processed data.
Data Security, which includes security practices and policies, data encryption, data access,
customer responsibilities, and compliance with auditing.
Data transfer, retention, and deletion.
To access the DPA:
Go to the Licensing Terms and Documentation.
In the search bar, enter DPA.
From the search results, locate the link to the DPA in your preferred language. Alternatively, in
the search bar that appears, enter your preferred language to filter the results. Here's an
example that retrieves the English version of the DPA.

Transparency is important when it comes to how a cloud provider communicates its privacy
policies and how it treats your data. The Microsoft Privacy Statement, the OST, and the DPA
detail Microsoft's commitment to protecting data and privacy in the cloud.
Explore the Trust Center
Completed100 XP
3 minutes
Tailwind Traders needs to stay up to date on the latest security standards for protecting its
data. Today, the security team needs to verify whether Azure meets ISO 27001, a commonly
used information security standard. Where can the company access this information?
The Trust Center showcases Microsoft's principles for maintaining data integrity in the cloud
and how Microsoft implements and supports security, privacy, compliance, and transparency in
all Microsoft cloud products and services. The Trust Center is an important part of the Microsoft
Trusted Cloud Initiative and provides support and resources for the legal and compliance
community.

The Trust Center provides:

In-depth information about security, privacy, compliance offerings, policies, features, and
practices across Microsoft cloud products.
Additional resources for each topic.
Links to the security, privacy, and compliance blogs and upcoming events.
The Trust Center is a great resource for other people in your organization who might play a role
in security, privacy, and compliance. These people include business managers, risk assessment
and privacy officers, and legal compliance teams.
Explore the Trust Center
As an optional exercise, let's take a brief look at the Trust Center's entry for ISO 27001.
Access to the Trust Center doesn't require an Azure subscription or a Microsoft account.
Go to the Trust Center.
Locate the Additional resources section on the page. Under Compliance offerings, select Learn
more.

Under the Regulatory & industry compliance section, click Microsoft compliance offerings.
You're taken to Microsoft compliance offerings.
The offerings are grouped into four categories: Global, US Government, Industry, and Regional.
Under Global, select ISO 27001.
The ISO 27001 Information Security Management Standards page is typical of the type of
compliance information we provide.
Briefly review the documentation for ISO/IEC 27001.
You see:
An overview of the standard.
Which cloud services are in scope.
An overview of the audit cycle and links to audit reports.
Answers to frequently asked questions.
Additional resources and white papers.
The areas of documentation for other compliance offerings will vary, but this format is the
typical one that you'll find.
Access Azure compliance documentation
Completed100 XP
4 minutes
Here, you learn how to access detailed documentation about legal and regulatory standards
and compliance on Azure.
E-commerce is an important part of Tailwind Traders' sales strategy. Its online retail
store enables customers to easily browse and order products. Customers typically pay by credit
card, so Tailwind Traders has a responsibility under the Payment Card Industry (PCI) Data
Security Standard (DSS). This global standard, known as PCI DSS, seeks to prevent fraud through
increased control of credit card data. The standard applies to any organization that stores,
processes, or transmits payment and cardholder data.
You've been tasked with investigating whether hosting the company's e-commerce application
on Azure would be compliant with PCI DSS. You start with the Azure compliance
documentation.
What is the Azure compliance documentation?
The Azure compliance documentation provides you with detailed documentation about legal
and regulatory standards and compliance on Azure.
Here you find compliance offerings across these categories:
Global
US government
Financial services
Health
Media and manufacturing
Regional
There are also additional compliance resources, such as audit reports, privacy information,
compliance implementations and mappings, and white papers and analyst reports. Country and
region privacy and compliance guidelines are also included. Some resources might require you
to be signed in to your cloud service to access them.
Examine PCI DSS compliance
The legal team at Tailwind Traders wants to learn more about how PCI DSS relates to the
company's e-commerce application on Azure.
As an optional exercise, here you follow along.
Go to the Azure compliance documentation.
Under Financial services, select PCI DSS.
There you see:
An overview of the PCI DSS standard.
How PCI DSS applies to Microsoft.
Which cloud services are in scope.
An overview of the audit cycle.
Answers to frequently asked questions.
Additional resources and white papers.
Access additional compliance resources
From the Azure compliance documentation, you can access additional compliance resources.
For example, from the Audit reports section, you find a link to audit reports for PCI DSS.
From there, you can access several different files, including the Attestation of Compliance
reports and the PCI DSS Shared Responsibility Matrix.
Under Compliance blueprints, you find reference blueprints, or policy definitions, for common
standards that you can apply to your Azure subscription. The PCI DSS blueprint deploys a core
set of policies that map to PCI DSS compliance and help you govern your Azure workloads
against this standard.
You can then see if the Azure resources in your application architecture have been configured
correctly for PCI DSS compliance, or which resources you need to remediate.
Because standards evolve, the Tailwind Traders team might check the audit report periodically
to ensure that Azure has any recent changes.
What is Azure Government?
Completed100 XP
2 minutes
Azure Government is a separate instance of the Microsoft Azure service. It addresses the
security and compliance needs of US federal agencies, state and local governments, and their
solution providers. Azure Government offers physical isolation from non-US government
deployments and provides screened US personnel.

Azure Government services handle data that is subject to certain government regulations and
requirements:
Federal Risk and Authorization Management Program (FedRAMP)
National Institute of Standards and Technology (NIST) 800.171 Defense Industrial Base (DIB)
International Traffic in Arms Regulations (ITAR)
Internal Revenue Service (IRS) 1075
Department of Defense (DoD) L4
Criminal Justice Information Service (CJIS)
To provide the highest level of security and compliance, Azure Government uses physically
isolated datacenters and networks located only in the US. Azure Government customers, such
as the US federal, state, and local government or their partners, are subject to validation of
eligibility.
Azure Government provides the broadest compliance and Level 5 DoD approval. Azure
Government is available in eight geographies and offers the most compliance certifications of
any cloud provider.
What is Azure China 21Vianet?
Completed100 XP
2 minutes
Azure China 21Vianet is operated by 21Vianet. It's a physically separated instance of cloud
services located in China. Azure China 21Vianet is independently operated and transacted by
Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly owned subsidiary of Beijing
21Vianet Broadband Data Center Co., Ltd.
According to the China Telecommunication Regulation, providers of cloud services,
infrastructure as a service (IaaS) and platform as a service (PaaS), must have value-added
telecom permits. Only locally registered companies with less than 50 percent foreign
investment qualify for these permits. To comply with this regulation, the Azure service in China
is operated by 21Vianet, based on the technologies licensed from Microsoft.

As the first foreign public cloud service provider offered in China in compliance with
government regulations, Azure China 21Vianet provides world-class security as discussed on
the Trust Center, as required by Chinese regulations for all systems and applications built on its
architecture.
Azure products and services available in China
The Azure services are based on the same Azure, Office 365, and Power BI technologies that
make up the Microsoft global cloud service, with comparable service levels. Azure agreements
and contracts in China, where applicable, are signed between customers and 21Vianet.
Azure includes the core components of IaaS, PaaS, and software as a service (SaaS). These
components include network, storage, data management, identity management, and many
other services.
Azure China 21Vianet supports most of the same services that global Azure has, such as
geosynchronous data replication and autoscaling. Even if you already use global Azure services,
to operate in China you might need to rehost or refactor some or all your applications or
services.
Compare costs by using the Total Cost of Ownership Calculator
Completed100 XP
5 minutes
Before Tailwind Traders takes its next steps toward migrating to the cloud, it wants to better
understand what it spends today in its datacenter.
Having a firm understanding of where the company is today will give it a greater sense of what
cloud migration means in terms of cost.
In this unit, you'll see how the Total Cost of Ownership (TCO) Calculator can help you compare
the cost of running in the datacenter versus running on Azure.
What's the TCO Calculator?
The TCO Calculator helps you estimate the cost savings of operating your solution on Azure
over time compared to operating in your on-premises datacenter.
The term total cost of ownership is used commonly in finance. It can be hard to see all the
hidden costs related to operating a technology capability on-premises. Software licenses and
hardware are additional costs.
With the TCO Calculator, you'll enter the details of your on-premises workloads. Then you can
review the suggested industry-average cost (which you can adjust) for related operational
costs. These costs include electricity, network maintenance, and IT labor. You're then presented
with a side-by-side report. Using the report, you can compare those costs with the same
workloads running on Azure.
The following image shows one example:

Note
You don't need an Azure subscription to work with the TCO Calculator.
How does the TCO Calculator work?
Working with the TCO Calculator involves three steps:
Define your workloads
Adjust assumptions
View the report

Let's take a closer look at each step.

Step 1: Define your workloads
First, you'll enter the specifications of your on-premises infrastructure into the TCO Calculator,
based on these four categories:
Servers
This category includes operating systems, virtualization methods, CPU cores, and memory
(RAM).
Databases
This category includes database types, server hardware, and the Azure service you want to use,
which includes the expected maximum concurrent user sign-ins.
Storage
This category includes storage type and capacity, which includes any backup or archive storage.
Networking
This category includes the amount of network bandwidth you currently consume in your on-
premises environment.
Step 2: Adjust assumptions
Next, you'll specify whether your current on-premises licenses are enrolled for Software
Assurance, which can save you money by reusing those licenses on Azure. You'll also specify
whether you need to replicate your storage to another Azure region for greater redundancy.
Then, you can see the key operating cost assumptions across several different areas, which will
vary among teams and organizations. These costs have been certified by Nucleus Research, an
independent research company. For example, these costs include:
Electricity price per kilowatt hour (KWh)
Hourly pay rate for IT administration
Network maintenance cost as a percentage of network hardware and software costs
To improve the accuracy of the TCO Calculator results, you can adjust the values so that they
match the costs of your current on-premises infrastructure.
Step 3: View the report
Choose a timeframe between one and five years. the TCO Calculator generates a report that's
based on the information you've entered. Here's an example:

For each category (compute, datacenter, networking, storage, and IT labor), you can also view a
side-by-side comparison of the cost breakdown of operating those workloads on-premises
versus operating them on Azure. Here's an example:

You can download, share, or save this report to review later.

In the next unit, you'll use the TCO Calculator to help the Tailwind Traders team understand
their total costs.
Exercise - Compare sample workload costs by using the TCO Calculator
Completed100 XP
6 minutes
In this exercise, you'll use the Total Cost of Ownership (TCO) Calculator to compare the cost of
running a sample workload in the datacenter versus on Azure.
Tailwind Traders is interested in moving some of its on-premises workloads to the cloud. But
first, the Chief Financial Officer wants to understand more about moving from a relatively fixed-
cost structure to an ongoing monthly cost structure.
You've been tasked to investigate whether there are any potential cost savings in moving your
European datacenter to the cloud over the next three years. You need to take into account all
of the potentially hidden costs involved with operating on-premises and in the cloud.
Instead of manually collecting everything you think might be included, you can use the TCO
Calculator as a starting point. You can adjust the provided cost assumptions to match Tailwind
Traders' on-premises environment.
Note
Remember, you don't need an Azure subscription to work with the TCO Calculator.
Let's say that:
Tailwind Traders runs two sets, or banks, of 50 virtual machines (VMs) in each bank
The first bank of VMs runs Windows Server under Hyper-V virtualization
The second bank of VMs runs Linux under VMware virtualization
There's also a storage area network (SAN) with 60 terabytes (TB) of disk storage
You consume an estimated 15 TB of outbound network bandwidth each month
There are also a number of databases involved, but for now, you'll omit those details
Recall that the TCO Calculator involves three steps:

Let's see how Tailwind Traders' existing workloads compare in the datacenter versus on Azure.
Define your workloads
Enter the specifications of your on-premises infrastructure into the TCO Calculator.
Go to the TCO Calculator.
Under Define your workloads, select Add server workload to create a row for your bank of
Windows Server VMs.
Under Servers, set the value for each of these settings:
Setting Value
Name Servers: Windows VMs
Workload Windows/Linux Server
Environment Virtual Machines
Operating system Windows
VMs 50
Virtualization Hyper-V
Core(s) 8
RAM (GB) 16
Optimize by CPU
Windows Server 2008/2008 R2 Off
Select Add server workload to create a second row for your bank of Linux VMs. Then specify
these settings:
Setting Value
Name Servers: Linux VMs
Workload Windows/Linux Server
Environment Virtual Machines
Operating system Linux
VMs 50
Virtualization VMware
Core(s) 8
RAM (GB) 16
Optimize by CPU
Under Storage, select Add storage. Then specify these settings:
Setting Value
Name Server Storage
Storage type Local Disk/SAN
Disk type HDD
Capacity 60 TB
Backup 120 TB
Archive 0 TB
Under Networking, set Outbound bandwidth to 15 TB.
Select Next.
Adjust assumptions
Here, you'll specify your currency. For brevity, you can leave the remaining fields at their
default values.
In practice, you would adjust any cost assumptions and make any adjustments to match your
current on-premises environment.
At the top of the page, select your currency. This example uses US Dollar ($).
Select Next.
View the report
Take a moment to review the generated report.
Remember, you've been tasked to investigate cost savings for your European datacenter over
the next three years.
To make these adjustments:
Set Timeframe to 3 Years.
Set Region to North Europe.
Scroll to the summary at the bottom. You'll see a comparison of running your workloads in the
datacenter versus on Azure. The prices you see might differ, but here's an example of the cost
savings you might expect.

Select Download to download or print a copy of the report in PDF format.

Great work. You now have the information that you can share with your Chief Financial Officer.
If you need to make adjustments, you can revisit the TCO Calculator to generate a fresh report.
Purchase Azure services
Completed100 XP
8 minutes
In this unit, you'll learn how to purchase Azure services and get a sense for other factors that
affect cost.
You meet with your Chief Financial Officer and some of the team leads and learn about some
assumptions you've missed. You were able to quickly update your total estimated spend
through the Total Cost of Ownership (TCO) Calculator.
During the meeting, some new questions arose as the discussion moves toward cloud
migration:
What types of Azure subscriptions are available?
How do we purchase Azure services?
Does location or network traffic effect cost?
What other factors affect the final cost?
How can we get a more detailed estimate of the cost to run on Azure?
It's important to learn how costs are generated in Azure so that you can understand how your
purchasing and solution-design decisions can affect your final cost. You've agreed to research
these questions, so let's review each one in greater detail.
What types of Azure subscriptions can I use?
You probably know that an Azure subscription provides you with access to Azure resources such
as virtual machines (VMs), storage, and databases. The types of resources you use affect your
monthly bill.
Azure offers both free and paid subscription options to fit your needs and requirements. They
are:
Free trial
A free trial subscription provides you with 12 months of popular free services, a credit to
explore any Azure service for 30 days, and more than 25 services that are always free. Your
Azure services are disabled when the trial ends or when your credit expires for paid products,
unless you upgrade to a paid subscription.
Pay-as-you-go
A pay-as-you-go subscription lets you pay for what you use by attaching a credit or debit card to
your account. Organizations can apply for volume discounts and prepaid invoicing.
Member offers
Your existing membership to certain Microsoft products and services might provide you with
credits for your Azure account, and reduced rates on Azure services. For example, member
offers are available to Visual Studio subscribers, Microsoft Partner Network members,
Microsoft for Startups members, and Microsoft Imagine members.
How do I purchase Azure services?
There are three main ways to purchase services on Azure. They are:
Through an Enterprise Agreement
Larger customers, known as enterprise customers, can sign an Enterprise Agreement with
Microsoft. This agreement commits them to spending a predetermined amount on Azure
services over a period of three years. The service fee is typically paid annually. As an Enterprise
Agreement customer, you'll receive the best customized pricing based on the kinds and
amounts of services you plan on using.
Directly from the web
Here, you can purchase Azure services directly from the Azure portal website and pay standard
prices. You're billed monthly, either as a credit card payment or through an invoice. This
purchasing method is known as Web Direct.
Through a Cloud Solution Provider
A Cloud Solution Provider (CSP) is a Microsoft Partner that helps you build solutions on top of
Azure. Your CSP bills you for your Azure usage at a price they determine. They also answer your
support questions and escalate them to Microsoft, as needed.
You can bring up, or provision, Azure resources from the Azure portal or from the command
line. The Azure portal arranges products and services by category. You can select the services
that fit your needs. Your account is billed according to Azure's "pay for what you use" model.
Here's an example that shows the Azure portal.

At the end of each month, you're billed for what you've used. At any time, you can check the
Cost Management + Billing page in the Azure portal to get a summary of your current usage and
review invoices from prior months.
What factors affect cost?
The way you use resources, your subscription type, and pricing from third-party vendors are
common factors. Let's take a quick look at each.
Resource type
A number of factors influence the cost of Azure resources. They depend on the type of resource
or how you customize it.
For example: with a storage account, you'll specify a type (such as block blob storage or table
storage), a performance tier (standard or premium), and an access tier (hot, cool, or archive).
These selections present different costs.
Usage meters
When you provision a resource, Azure creates meters to track that resource's usage. Azure uses
these meters to generate a usage record that's later used to help calculate your bill.
Think of usage meters as similar to how you use electricity or water in your home. You might
pay a base price each month for electricity or water service, but your final bill is based on the
total amount that you consumed.
Let's look at a single VM as an example. The following kinds of meters are relevant to tracking
its usage:
Overall CPU time
Time spent with a public IP address
Incoming (ingress) and outgoing (egress) network traffic in and out of the VM
Disk size and amount of disk read and disk write operations
Each meter tracks a specific type of usage. For example, a meter might track bandwidth usage
(ingress or egress network traffic in bits per second), number of operations, or its size (storage
capacity in bytes).
The usage that a meter tracks correlates to a quantity of billable units. Those units are charged
to your account for each billing period. The rate per billable unit depends on the resource type
you're using.
Resource usage
In Azure, you're always charged based on what you use. As an example, let's look at how this
billing applies to deallocating a VM.
In Azure, you can delete or deallocate a VM. Deleting a VM means that you no longer need it.
The VM is removed from your subscription, then it's prepared for another customer.
Deallocating a VM means that the VM is no longer running, but the associated hard disks and
data are still kept in Azure. The VM isn't assigned to a CPU or network in Azure's datacenter, so
it doesn't generate the costs associated with compute time or the VM's IP address. Because the
disks and data are still stored, and the resource is present in your Azure subscription, you're still
billed for disk storage.
Deallocating a VM when you don't plan on using it for some time is just one way to minimize
costs. For example, you might deallocate the VMs you use for testing purposes on weekends
when your testing team isn't using them. You'll learn more about ways to minimize cost later in
this module.
Azure subscription types
Some Azure subscription types also include usage allowances, which affect costs.
For example, an Azure free trial subscription provides access to a number of Azure products
that are free for 12 months. It also includes credit to spend within your first 30 days of sign-up.
You also get access to more than 25 products that are always free (based on resource and
region availability).
Azure Marketplace
You can also purchase Azure-based solutions and services from third-party vendors through
Azure Marketplace. Examples include managed network firewall appliances or connectors to
third-party backup services. Billing structures are set by the vendor.
Does location or network traffic affect cost?
When you provision a resource in Azure, you need to define the location (known as the Azure
region) of where it will be deployed. Let's see why this decision can have cost consequences.
Location
Azure infrastructure is distributed globally, which lets you deploy your services centrally or
provision your services closest to where your customers use them.
Different regions can have different associated prices. Because geographic regions can affect
where your network traffic flows, network traffic is a cost influence to consider as well.
For example, say Tailwind Traders decides to provision its Azure resources in the Azure regions
that offer the lowest prices. That decision would save the company some money. However, if
they need to transfer data between those regions, or if their users are located in different parts
of the world, any potential savings could be offset by the additional network-usage costs of
transferring data between those resources.
Zones for billing of network traffic
Billing zones are a factor in determining the cost of some Azure services.
Bandwidth refers to data moving in and out of Azure datacenters. Some inbound data transfers
(data going into Azure datacenters) are free. For outbound data transfers (data leaving Azure
datacenters), data transfer pricing is based on zones.

A zone is a geographical grouping of Azure regions for billing purposes. The following zones
include some of the regions as shown here:
Zone 1: Australia Central, West US, East US, Canada West, West Europe, France Central, and
others
Zone 2: Australia East, Japan West, Central India, Korea South, and others
Zone 3: Brazil South, South Africa North, South Africa West, UAE Central, UAE North
DE Zone 1: Germany Central, Germany Northeast
How can I estimate the total cost?
As you've learned, an accurate cost estimate takes all of the preceding factors into account.
Fortunately, the Azure Pricing calculator helps you with that process.
The Pricing calculator displays Azure products in categories. You can add these categories to
your estimate and configure according to your specific requirements. You'll then receive a
consolidated estimated price, with a detailed breakdown of the costs associated with each
resource you added to your solution. You can export or share that estimate or save it for later.
You can load a saved estimate and modify it to match updated requirements.
You also can access pricing details, product details, and documentation for each product from
within the Pricing calculator.
The options you can configure in the Pricing calculator vary between products, but can include:
Region
A region is the geographical location in which you can provision a service. Southeast Asia,
Central Canada, Western United States, and Northern Europe are a few examples.
Tier
Tiers, such as the Free tier or Basic tier, have different levels of availability or performance and
different associated costs.
Billing options
Billing options highlight the different ways you can pay for a service. Options can vary based on
your customer type and subscription type, and can include options to save costs.
Support options
These options let you select additional support pricing options for certain services.
Programs and offers
Your customer or subscription type might allow you to choose from specific licensing programs
or other offers.
Azure Dev/Test pricing
This option lists the available prices for development and test workloads. Dev/Test pricing
applies when you run resources within an Azure subscription that's based on a Dev/Test offer.
Keep in mind that the Pricing calculator provides estimates and not actual price quotes. Actual
prices can vary depending upon the date of purchase, the payment currency you're using, and
the type of Azure customer you are.
Exercise - Estimate workload cost by using the Pricing calculator
Completed100 XP
6 minutes
In this exercise, you'll use the Pricing calculator to estimate the cost of running a basic web
application on Azure.
With an understanding of the more important cost factors associated with running on Azure,
Tailwind Traders wants to take a typical workload and estimate how much it would cost each
month to run it on Azure.
The IT Manager at Tailwind Traders is faced with the decision about whether to replace some
aging on-premises hardware or move the application to Azure. The company needs to know
how much the ongoing monthly cost of the solution in Azure would be.
Let's start by defining which Azure services you need.
Note
The Pricing calculator is for information purposes only. The prices are only an estimate, and you
won't be charged for any services you select.
Define your requirements
Before you run the Pricing calculator, you first need a sense of what Azure services you need.
You've met with the application development team to discuss their migration project. In their
datacenter, the team has an ASP.NET web application that runs on Windows. The web
application provides information about product inventory and pricing. They have two virtual
machines that are connected through a central load balancer. The web application connects to
a SQL Server database that holds inventory and pricing information.
The team decides to:
Use Azure Virtual Machines instances, similar to the virtual machines they use in the datacenter
Use Azure Application Gateway for load balancing
Use Azure SQL Database to hold inventory and pricing information
Here's a diagram that shows the basic configuration:

In practice, you would define your requirements in greater detail. But here are some basic facts
and requirements that came up during the meeting:
Tailwind Traders employees use the application at their retail stores. It's not accessible to
customers.
This application doesn't require a massive amount of computing power.
The virtual machines and the database run all the time (730 hours per month).
The network processes about 1 TB of data per month.
The database doesn't need to be configured for high-performance workloads and requires no
more than 32 GB of storage.
Explore the Pricing calculator
Let's start with a quick tour of the Pricing calculator.
Go to the Pricing calculator.
Notice the following tabs:

Products
This is where you can choose the Azure services that you want to include in your estimate.
You'll likely spend most of your time here.
Example Scenarios
Here you'll find several reference architectures, or common cloud-based solutions that you can
use as a starting point.
Saved Estimates
Here you'll find your previously saved estimates.
FAQ
Here you'll discover answers to frequently asked questions about the Pricing calculator.
Estimate your solution
Here you'll add each Azure service that you need to the calculator. Then you configure each
service to fit your needs.
Tip
Make sure you have a clean calculator with nothing listed in the estimate. You can reset the
estimate by selecting the trash can icon next to each item.
Add services to the estimate
On the Products tab, select the service from each of these categories:
Category Service
Compute Virtual Machines
Databases Azure SQL Database
Networking Application Gateway
Scroll to the bottom of the page. You'll see that each service is listed with its default
configuration.

Configure services to match your requirements

Under Virtual Machines, set these values:
Setting Value
Region West US
Operating system Windows
Type (OS Only)
Tier Standard
Instance D2 v3
Virtual machines 2 x 730 Hours
Leave the remaining settings at their current values.
Under Azure SQL Database, set these values:
Setting Value
Region West US
Type Single Database
Backup storage tier RA-GRS
Purchase model vCore
Service tier General Purpose
Compute tier Provisioned
Generation Gen 5
Instance 8 vCore
Leave the remaining settings at their current values.
Under Application Gateway, set these values:
 Setting Value
Region West US
Tier Web Application Firewall
Size Medium
Gateway hours 2 x 730 Hours
Data processed 1 TB
Outbound data transfer 5 GB
Leave the remaining settings at their current values.
Review, share, and save your estimate
At the bottom of the page, you'll see the total estimated cost of running the solution. You can
change the currency type if you want.

At this point, you have a few options:

Select Export to save your estimate as an Excel document
Select Save or Save as to save your estimate to the Saved Estimates tab for later
Select Share to generate a URL so you can share the estimate with your team
You now have a cost estimate that you can share with your team. You can make adjustments as
you discover any changes to your requirements.
Experiment with some of the options you worked with here, or create a purchase plan for a
workload you want to run on Azure.
Manage and minimize total cost on Azure
Completed100 XP
11 minutes
As a home improvement retailer, the proverb "measure twice, cut once" is fitting for the team
at Tailwind Traders.
Here are some recommended practices that can help you minimize your costs.
Understand estimated costs before you deploy
To help you plan your solution on Azure, carefully consider the products, services, and
resources you need. Read the relevant documentation to understand how each of your choices
is metered and billed.
Calculate your projected costs by using the Pricing calculator and the Total Cost of Ownership
(TCO) Calculator. Only add the products, services, and resources that you need for your
solution.
Use Azure Advisor to monitor your usage
Ideally, you want your provisioned resources to match your actual usage.
Azure Advisor identifies unused or underutilized resources and recommends unused resources
that you can remove. This information helps you configure your resources to match your actual
workload.
The following image shows some example recommendations from Azure Advisor:

Recommendations are sorted by impact: high, medium, or low. In some cases, Azure Advisor
can automatically remediate, or fix, the underlying problem. Other issues, such as the two that
are listed as high impact, require human intervention.
Use spending limits to restrict your spending
If you have a free trial or a credit-based Azure subscription, you can use spending limits to
prevent accidental overrun.
For example, when you spend all the credit included with your Azure free account, Azure
resources that you deployed are removed from production and your Azure virtual machines
(VMs) are stopped and deallocated. The data in your storage accounts is available as read-only.
At this point, you can upgrade your free trial subscription to a pay-as-you-go subscription.
If you have a credit-based subscription and you reach your configured spending limit, Azure
suspends your subscription until a new billing period begins.
A related concept is quotas, or limits on the number of similar resources you can provision
within your subscription. For example, you can allocate up to 25,000 VMs per region. These
limits mainly help Microsoft plan its datacenter capacity.
Use Azure Reservations to prepay
Azure Reservations offers discounted prices on certain Azure services. Azure Reservations can
save you up to 72 percent as compared to pay-as-you-go prices. To receive a discount, you can
reserve services and resources by paying in advance.
For example, you can prepay for one year or three years of use of VMs, database compute
capacity, database throughput, and other Azure resources.
The following example shows estimated savings on VMs. In this example, you save an estimated
72 percent by committing to a three-year term.

Azure Reservations are available to customers with an Enterprise Agreement, Cloud Solution
Providers, and pay-as-you-go subscriptions.
Choose low-cost locations and regions
The cost of Azure products, services, and resources can vary across locations and regions. If
possible, you should use them in those locations and regions where they cost less.
But remember, some resources are metered and billed according to how much outgoing
(egress) network bandwidth they consume. You should provision connected resources that are
metered by bandwidth in the same Azure region to reduce egress traffic between them.
Research available cost-saving offers
Keep up to date with the latest Azure customer and subscription offers, and switch to offers
that provide the greatest cost-saving benefit.
Use Microsoft Cost Management + Billing to control spending
Cost Management is a free service that helps you understand your Azure bill, manage your
account and subscriptions, monitor and control Azure spending, and optimize resource use.
The following image shows current usage broken down by service:

In this example, Azure App Service, a web application hosting service, generates the greatest
cost.
Cost Management features include:
Reporting
Use historical data to generate reports and forecast future usage and expenditure.
Data enrichment
Improve accountability by categorizing resources with tags that correspond to real-world
business and organizational units.
Budgets
Create and manage cost and usage budgets by monitoring resource demand trends,
consumption rates, and cost patterns.
Alerting
Get alerts based on your cost and usage budgets.
Recommendations
Receive recommendations to eliminate idle resources and to optimize the Azure resources you
provision.
Apply tags to identify cost owners
Tags help you manage costs associated with the different groups of Azure products and
resources. You can apply tags to groups of Azure resources to organize billing data.
For example, if you run several VMs for different teams, you can use tags to categorize costs by
department, such as Human Resources, Marketing, or Finance; or by environment, such as Test
or Production.
Tags make it easier to identify groups that generate the biggest Azure costs, which can help you
adjust your spending accordingly.
The following image shows a year's worth of usage broken down by tags on the Cost
Management page:

Resize underutilized virtual machines

A common recommendation that you'll find from Cost Management and Azure Advisor is to
resize or shut down VMs that are underutilized or idle.
As an example, say you have a VM whose size is Standard_D4_v4, a general-purpose VM type
with four vCPUs and 16 GB of memory. You might discover that this VM is idle 90 percent of the
time.
Virtual machine costs are linear and double for each size larger in the same series. So in this
case, if you reduce the VM's size from Standard_D4_v4 to Standard_D2_v4, which is the next
size lower, you reduce your compute cost by 50 percent.
The following image shows this idea:

Keep in mind that resizing a VM requires it to be stopped, resized, and then restarted. This
process might take a few minutes depending on how significant the size change is. Be sure to
properly plan for an outage, or shift your traffic to another instance while you perform resize
operations.
Deallocate virtual machines during off hours
Recall that to deallocate a VM means to no longer run the VM, but preserve the associated hard
disks and data in Azure.
If you have VM workloads that are only used during certain periods, but you're running them
every hour of every day, you're wasting money. These VMs are great candidates to shut down
when not in use and start back when you need them, saving you compute costs while the VM is
deallocated.
This approach is an excellent strategy for development and testing environments, where the
VMs are needed only during business hours. Azure even provides a way to automatically start
and stop your VMs on a schedule.
Delete unused resources
This recommendation might sound obvious, but if you aren't using a resource, you should shut
it down. It's not uncommon to find nonproduction or proof-of-concept systems that are no
longer needed following the completion of a project.
Regularly review your environment, and work to identify these systems. Shutting down these
systems can have a dual benefit by saving you on infrastructure costs and potential savings on
licensing and operating costs.
Migrate from IaaS to PaaS services
As you move your workloads to the cloud, a natural evolution is to start with infrastructure as a
service (IaaS) services, because they map more directly to concepts and operations you're
already familiar with.
Over time, one way to reduce costs is to gradually move IaaS workloads to run on platform as a
service (PaaS) services. While you can think of IaaS as direct access to compute infrastructure,
PaaS provides ready-made development and deployment environments that are managed for
you.
As an example, say you run SQL Server on a VM running on Azure. This configuration requires
you to manage the underlying operating system, set up a SQL Server license, manage software
and security updates, and so on. You also pay for the VM whether or not the database is
processing queries. One way to potentially save costs is to move your database from SQL Server
on a VM to Azure SQL Database. Azure SQL Database is based on SQL Server.
Not only are PaaS services such as Azure SQL Database often less expensive to run, but because
they're managed for you, you don't need to worry about software updates, security patches, or
optimizing physical storage for read and write operations.
Save on licensing costs
Licensing is another area that can dramatically affect your cloud spending. Let's look at some
ways you can reduce your licensing costs.
Choose cost-effective operating systems
Many Azure services provide a choice of running on Windows or Linux. In some cases, the cost
depends on which you choose. When you have a choice, and your application doesn't depend
on the underlying operating system, it's useful to compare pricing to see whether you can save
money.
Use Azure Hybrid Benefit to repurpose software licenses on Azure
If you've purchased licenses for Windows Server or SQL Server, and your licenses are covered
by Software Assurance, you might be able to repurpose those licenses on VMs on Azure.
Some of the details vary between Windows Server or SQL Server. We'll provide resources for
you to learn more at the end of this module.
What are service-level agreements (SLAs)?
Completed100 XP
6 minutes
As mentioned in the video, a service-level agreement (SLA) is a formal agreement between a
service company and the customer. For Azure, this agreement defines the performance
standards that Microsoft commits to for you, the customer.
In this part, you'll learn more about Azure SLAs, including why SLAs are important, where you
can find the SLA for a specific Azure service, and what you'll find in a typical SLA.
Why are SLAs important?
Understanding the SLA for each Azure service you use helps you understand what guarantees
you can expect.
When you build applications on Azure, the availability of the services that you use affect your
application's performance. Understanding the SLAs involved can help you establish the SLA you
set with your customers.
Later in this module, you'll learn about some strategies you can use when an Azure SLA doesn't
meet your needs.
Where can I access SLAs for Azure services?
You can access SLAs from Service Level Agreements.
Note
You don't need an Azure subscription to review service SLAs.
Each Azure service defines its own SLA. Azure services are organized by category.
Open the SLA for Azure Database for MySQL, a managed database that makes it easy for
developers to work with MySQL databases. You'll refer back to this SLA in a moment.
To do so:
Go to Service Level Agreements.
From the Databases category, select Azure Database for MySQL.

What's in a typical SLA?

A typical SLA breaks down into these sections:
Introduction
This section explains what to expect in the SLA, including its scope and how subscription
renewals can affect the terms.
General terms
This section contains terms that are used throughout the SLA so that both parties (you and
Microsoft) have a consistent vocabulary. For example, this section might define what's meant
by downtime, incidents, and error codes.
This section also defines the general terms of the agreement, including how to submit a claim,
receive credit for any performance or availability issues, and limitations of the agreement.
SLA details
This section defines the specific guarantees for the service. Performance commitments are
commonly measured as a percentage. That percentage typically ranges from 99.9 percent
("three nines") to 99.99 percent ("four nines").
The primary performance commitment typically focuses on uptime, or the percentage of time
that a product or service is successfully operational. Some SLAs focus on other factors as well,
including latency, or how fast the service must respond to a request.
This section also defines any additional terms that are specific to this service.
Take a moment to review the SLA for Azure Database for MySQL.
You see that this SLA focuses mainly on uptime. Azure Database for MySQL guarantees 99.99
percent, or "four nines", uptime. This means that the service is guaranteed to be running and
available to process requests 99.99 percent of the time.
How do percentages relate to total downtime?
Downtime refers to the time duration that the service is unavailable.
The difference between 99.9 percent and 99.99 percent might seem minor, but it's important
to understand what these numbers mean in terms of total downtime.
Here's a table to give you a sense of how total downtime decreases as the SLA percentage
increases from 99 percent to 99.999 percent:
SLA percentage Downtime per week Downtime per month Downtime p
99 1.68 hours 7.2 hours 3.65 days
99.9 10.1 minutes 43.2 minutes 8.76 hours
99.95 5 minutes 21.6 minutes 4.38 hours
99.99 1.01 minutes 4.32 minutes 52.56 minu
99.999 6 seconds 25.9 seconds 5.26 minute
These amounts are cumulative, which means that the duration of multiple different service
outages would be combined, or added together.
What are service credits?
A service credit is the percentage of the fees you paid that are credited back to you according to
the claim approval process.
An SLA describes how Microsoft responds when an Azure service fails to perform to its
specification. For example, you might receive a discount on your Azure bill as compensation
when a service fails to perform according to its SLA.
Credits typically increase as uptime decreases. Here's how credits are applied for Azure
Database for MySQL according to uptime:
Monthly uptime percentage Service credit percentage
< 99.99 10
< 99 25
< 95 100
What's the SLA for free services?
Free products typically don't have an SLA.
For example, many Azure services provide a free or shared tier that provides more limited
functionality. Services like Azure Advisor are always free. The SLA for Azure Advisor states that
because it's free, it doesn't have a financially backed SLA.
How do I know when there's an outage?
Azure status provides a global view of the health of Azure services and regions. If you suspect
there's an outage, this is often a good place to start your investigation.
Azure status provides an RSS feed of changes to the health of Azure services that you can
subscribe to. You can connect this feed to communication software such as Microsoft Teams or
Slack.
From the Azure status page, you can also access Azure Service Health. This provides a
personalized view of the health of the Azure services and regions that you're using, directly
from the Azure portal.
How can I request a service credit from Microsoft?
Typically, you need to file a claim with Microsoft to receive a service credit. If you purchase
Azure services from a Cloud Solution Provider (CSP) partner, your CSP typically manages the
claims process.
Each SLA specifies the timeline by which you must submit your claim and when Microsoft
processes your claim. For many services, you must submit your claim by the end of the calendar
month following the month in which the incident occurred.
Next, let's look at some other factors that Tailwind Traders needs to consider that might affect
SLA performance targets.
Define your application SLA
Completed100 XP
3 minutes
An application SLA defines the SLA requirements for a specific application. This term typically
refers to an application that you build on Azure.
Tailwind Traders runs an application that it built on Azure called "Special Orders." The
application tracks special orders that customers have placed in the company's retail stores. A
special order includes an item and any customizations the customer needs. For example, a
folding door might include customizations such as dimension and hinge placement. Because
customizations typically require special handling, the customized item needs to be ordered
from the supplier when a customer needs it.
There are many design decisions you can make to improve the availability and resiliency of the
applications and services you build on Azure. These decisions extend beyond just the SLA for a
specific service. In this part, you'll explore a few of these considerations.
A good place to start is to have a discussion with your team about how important the
availability of each application is to your business. The following sections cover a few factors
that Tailwind Traders might consider.
Business impact
If the Special Orders application goes down, what would the business impact be? In this case,
customers can't place new orders through the store and staff can't check the status of existing
orders. Customers will either need to try again later or possibly go to a competitor.
Effect on other business operations
The Special Orders application doesn't affect other operations. So the majority of the Tailwind
Traders business will continue to function normally if the Special Orders application went down.
Usage patterns
Usage patterns define when and how users access your application.
One question to consider is whether the availability requirement differs between critical and
non-critical time periods. For example, a tax-filing application can't fail during a filing deadline.
For Tailwind Traders, retail stores aren't open 24 hours a day, so if the application were down in
the middle of the night, the impact would be minimal. However, because Tailwind Traders has
retail locations all over the world, it will need to ensure that each location has access to the
service during its retail hours.
What does the team decide?
Let's say that Tailwind Traders decides that an SLA of 99.9 percent is acceptable for the Special
Orders application. This gives the company an estimated downtime of 10.1 minutes per week.
But how will it ensure that its technology choices support its application SLA?
In the next part, you'll see how the team maps its application requirements to specific Azure
services. You'll learn about some of the techniques you can use to help ensure that your
technology choices meet your application SLA.
Design your application to meet your SLA
Completed100 XP
7 minutes
Tailwind Traders decides that an SLA of 99.9 percent is acceptable for the Special Orders
application. Recall that this gives the company an estimated downtime of 10.1 minutes per
week.
Now you need to design an efficient and reliable solution for this application on Azure, keeping
that application SLA in mind. You'll select the Azure products and services you need, and
provision your cloud resources according to those requirements.
In reality, failures will happen. Hardware can fail. The network can have intermittent timeout
periods. While it's rare for an entire service or region to experience a disruption, you still need
to plan for such events.
Let's follow the process Tailwind Traders uses to ensure that its technology choices meet its
application SLA.
Identify your workloads
A workload is a distinct capability or task that's logically separated from other tasks, in terms of
business logic and data storage requirements. Each workload defines a set of requirements for
availability, scalability, data consistency, and disaster recovery.
On Azure, the Special Orders application will require:
Two virtual machines.
One instance of Azure SQL Database.
One instance of Azure Load Balancer.
Here's a diagram that shows the basic architecture:

Combine SLAs to compute the composite SLA

After you've identified the SLA for the individual workloads in the Special Orders application,
you might notice that those SLAs are not all the same. How does this affect our overall
application SLA requirement of 99.9 percent? To work that out, you'll need to do some math.
The process of combining SLAs helps you compute the composite SLA for a set of services.
Computing the composite SLA requires that you multiply the SLA of each individual service.
From Service Level Agreements, you discover the SLA for each Azure service that you need.
They are:
Service SLA
Azure Virtual Machines 99.9 percent
Azure SQL Database 99.99 percent
Azure Load Balancer 99.99 percent
Therefore, for the Special Orders application, the composite SLA would be:
99.9%×99.9%×99.99%×99.99%99.9%×99.9%×99.99%×99.99%=0.999×0.999×0.9999
×0.9999=0.999×0.999×0.9999×0.9999=0.9978=0.9978=99.78%=99.78%
Recall that you need two virtual machines. Therefore, you include the Virtual Machines SLA of
99.9 percent two times in the formula.
Note that even though all of the individual services have SLAs equal to or better than the
application SLA, combining them results in an overall number that's lower than the 99.9 percent
you need. Why? Because using multiple services adds an extra level of complexity and slightly
increases the risk of failure.
You see here that the composite SLA of 99.78 percent doesn't meet the required SLA of 99.9
percent. You might go back to your team and ask whether this is acceptable. Or you might
implement some other strategies into your design to improve this SLA.
What happens when the composite SLA doesn't meet your
needs?
For the Special Orders application, the composite SLA doesn't meet the required SLA of 99.9
percent. Let's look at a few strategies that Tailwind Traders might consider.
Choose customization options that fit your required SLA
Each of the workloads defined previously has its own SLA, and the customization choices you
make when you provision each workload affects that SLA. For example:
Disks
With Virtual Machines, you can choose from a Standard HDD Managed Disk, a Standard SSD
Managed Disk, or a Premium SSD or Ultra Disk. The SLA for a single VM would be either 95
percent, 99.5 percent or 99.9 percent, depending on the disk choice.
Tiers
Some Azure services are offered as both a free tier product and as a standard paid service. For
example, Azure Automation provides 500 minutes of job runtime in an Azure free account, but
is not backed by an SLA. The standard tier SLA for Azure Automation is 99.9 percent.
Make sure that your purchasing decisions take into account the impact on the SLA for the Azure
services that you choose. Doing so ensures that the SLA supports your required application SLA.
Here, Tailwind Traders might choose the Ultra Disk option for its virtual machines to help
guarantee greater uptime.
Build availability requirements into your design
There are application design considerations you can use that relate to the underlying cloud
infrastructure.
For example, to improve the availability of the application, avoid having any single points of
failure. So instead of adding more virtual machines, you can deploy one or more extra instances
of the same virtual machine across the different availability zones in the same Azure region.
An availability zone is a unique physical location within an Azure region. Each zone is made up
of one or more datacenters equipped with independent power, cooling, and networking. These
zones use different schedules for maintenance, so if one zone is affected, your virtual machine
instance in the other zone is unaffected.
Deploying two or more instances of an Azure virtual machine across two or more availability
zones raises the virtual machine SLA to 99.99 percent. Recalculating your composite SLA above
with this Virtual Machines SLA gives you an application SLA of:
99.99%×99.99%×99.99%×99.99%99.99%×99.99%×99.99%×99.99%=99.96%=99.96%
This revised SLA of 99.96 percent exceeds your target of 99.9 percent.
To learn more about the SLA for Virtual Machines, visit SLA for Virtual Machines.
Include redundancy to increase availability
To ensure high availability, you might plan for your application to have duplicate components
across several regions, known as redundancy. Conversely, to minimize costs during non-critical
periods, you might run your application only in a single region. Tailwind Traders might consider
this if there's a trend that the special order rates are much higher during certain months or
seasons.
To achieve maximum availability in your application, add redundancy to every single part of the
application. This redundancy includes the application itself, as well as the underlying services
and infrastructure. Be aware, however, that doing so can be difficult and expensive, and often
results in solutions that are more complex than they need to be.
Consider how critical high availability is to your requirements before you add redundancy.
There may be simpler ways to meet your application SLA.
Very high performance is difficult to achieve
Performance targets above 99.99 percent are very difficult to achieve. An SLA of 99.99 percent
means 1 minute of downtime per week. It's difficult for humans to respond to failures quickly
enough to meet SLA performance targets above 99.99 percent. Instead, your application must
be able to self-diagnose and self-heal during an outage.
Access preview services and preview features
Completed100 XP
4 minutes
Now that the Tailwind Traders company has its applications up and running in Azure, it wants to
start looking into new Azure capabilities. One option is to look at preview services. In this
module, you'll learn how Azure services go from the preview phase to being generally available
product integrated into Azure.
For Tailwind Traders, migration from the datacenter to Azure is more about operational
efficiency. The research and development team is looking into new, cloud-based features that
will keep them ahead of the competition.
Tailwind Traders is in the development stages of creating a drone delivery system for rural
customers. The company needs real-time storm tracking in the drone guidance system, but the
feature isn't available yet. An AI Storm Analyzer service has recently been released in the public
preview phase. Tailwind Traders R&D team has decided to incorporate the preview service into
the early stages of application testing.
Note
AI Storm Analyzer is a fictitious Azure service, introduced here for illustrative purposes only.
Before the team moves forward, it wants a better understanding of how preview services affect
its SLA. Let's begin by defining the Azure service lifecycle.
What is the service lifecycle?
The service lifecycle defines how every Azure service is released for public use.
Every Azure service starts in the development phase. In this phase, the Azure team collects and
defines its requirements, and begins to build the service.
Next, the service is released to the public preview phase. During this phase, the public can
access and experiment with it and provide real-world feedback. Your feedback helps Microsoft
improve services. More importantly, providing feedback gives you the opportunity to request
new or different capabilities so that services better meet your needs.
After a new Azure service has been validated and tested, it's released to all customers as a
production-ready service. This is known as general availability (GA).
What terms and conditions can I expect?
Each Azure preview defines its own terms and conditions. All preview-specific terms and
conditions are excluded from the service level agreements and limited warranty.
Some previews may not be covered by customer support, and may be subject to reduced or
different security, compliance, and privacy commitments. For these reasons, previews are not
recommended for business-critical workloads.
How can I access preview services?
You can access preview services from the Azure portal.
Here's how to see what preview services are available. You can follow along if you have an
Azure subscription.
Go to the Azure portal and sign in.
Select Create a resource.
Enter preview in the search box, and select Enter.
Select a preview service to learn more about it. You can also launch the service if you'd like to
try it out.
How can I access new features for an existing service?
Some preview features relate to a specific area of an existing Azure service. For example, a
compute or database service that you use daily might provide enhanced functionality. These
preview features are accessible when you deploy, configure, and manage the service.
Although you can use an Azure preview feature in production, make sure you're aware of any
limitations before you deploy it to a production environment.
How can I access preview features for the Azure portal?
You can access preview features that are specific to the Azure portal from Microsoft Azure
(Preview).
Typical portal preview features provide performance, navigation, and accessibility
improvements to the Azure portal interface.
When you're using the preview version of the Azure portal, Microsoft Azure (Preview) displays
in the page header to remind you what version of the Azure portal you're using. Public preview
features that are optionally available are also labeled with (preview) on Azure pages.

How can I provide feedback on the Azure portal?

You can provide feedback:
From any of the 124 forums for Azure services, go to the Azure feedback community ideas page
From the Feedback tab in the Azure portal.

How can I stay updated on the latest announcements?

The Azure updates page provides information about the latest updates to Azure products,
services, and features, and product roadmaps and announcements.
From the Azure updates page, you can:
View details about all Azure updates.
See which updates are now available, in preview, or in

development.
Browse updates by product category or update type.
Search for updates by keyword.
Subscribe to an RSS feed to receive notifications.
Access the Microsoft Connect page to read Azure product news and announcements.