Introduction
Azure is a cloud computing platform with an ever-expanding set of services to help you build solutions to meet your business goals. Azure services range from simple web services for hosting your business presence in the cloud to running fully virtualized computers for you to run your custom software solutions. Azure provides a wealth of cloud-based services like remote storage, database hosting, and centralized account management. Azure also offers new capabilities like AI and Internet of Things (IoT).
In this module, you’ll take an entry-level, end-to-end look at Azure and its capabilities. You’ll gain a solid foundation for completing the available learning paths for Azure fundamentals.
What is Azure fundamentals?
Azure fundamentals is a series of six learning paths that familiarize you to Azure and its many services and features.
Whether you’re interested in Azure’s core compute, network, storage, and database services, learning about cloud security best practices, or exploring the cutting edge in IoT and machine learning, think of Azure fundamentals as your curated guide to Azure.
Azure fundamentals includes interactive exercises that give you hands-on experience with Azure. Many exercises provide a temporary Azure environment called the sandbox, which allows you to learn for free and at your own pace.
Technical IT experience is not required; however, having general IT knowledge will help you get the most from your learning experience.
Why should I take Azure fundamentals?
Whether you’re just beginning to work with the cloud or you already have cloud experience and are new to Azure, Azure fundamentals provides you with everything you need to get started.
No matter your goals, Azure fundamentals has something for you. Take Azure fundamentals if you:
- Have general interest in Azure or in the cloud.
- Want to earn official certification from Microsoft.
Preparation for Exam AZ-900
The Azure fundamentals learning path series can help you prepare for Exam AZ-900: Microsoft Azure Fundamentals. This exam includes six knowledge domain areas:
AZ-900 Domain Area
Weight
Describe cloud concepts
20-25%
Describe core Azure services
15-20%
Describe core solutions and management tools on Azure
10-15%
Describe general security and network security features
10-15%
Describe identity, governance, privacy, and compliance features
20-25%
Describe Azure cost management and Service Level Agreements
10-15%
Each domain area maps to a learning path in Azure fundamentals.
The percentages shown indicate the relative weight of each area on the exam. The higher the percentage, the more questions that part of the exam will contain. Be sure to read the exam page for specifics about what skills are covered in each area.
This training helps you develop a broad understanding of Azure. Having real-world experience will help reinforce the concepts so that you’re more fully prepared for the exam or to apply your skills on the job.
Learning objectives
After completing this module, you’ll be able to:
- Describe the basic concepts of cloud computing.
- Determine whether Azure is the right solution for your business needs.
- Differentiate between the different methods of creating an Azure subscription.
What is cloud computing?
Have you ever wondered what cloud computing is? It’s the delivery of computing services over the internet, which is otherwise known as the cloud. These services include servers, storage, databases, networking, software, analytics, and intelligence. Cloud computing offers faster innovation, flexible resources, and economies of scale.
Why is cloud computing typically cheaper to use?
Cloud computing is the delivery of computing services over the internet by using a pay-as-you-go pricing model. You typically pay only for the cloud services you use, which helps you:
- Lower your operating costs.
- Run your infrastructure more efficiently.
- Scale as your business needs change.
To put it another way, cloud computing is a way to rent compute power and storage from someone else’s datacenter. You can treat cloud resources like you would resources in your own datacenter. When you’re done using them, you give them back. You’re billed only for what you use.
Instead of maintaining CPUs and storage in your datacenter, you rent them for the time that you need them. The cloud provider takes care of maintaining the underlying infrastructure for you. The cloud enables you to quickly solve your toughest business challenges, and bring cutting-edge solutions to your users.
Why should I move to the cloud?
The cloud helps you move faster and innovate in ways that were once nearly impossible.
In our ever-changing digital world, two trends emerge:
- Teams deliver new features to their users at record speeds.
- Users expect an increasingly rich and immersive experience with their devices and with software.
Software releases were once scheduled in terms of months or even years. Today, teams release features in smaller batches that are often scheduled in days or weeks. Some teams even deliver software updates continuously–sometimes with multiple releases within the same day.
Think of all the ways you interact with devices that you couldn’t do a few years ago. Many devices can recognize your face and respond to voice commands. Augmented reality changes the way you interact with the physical world. Household appliances are even beginning to act intelligently. These technologies are only a few examples, and many of them are powered by the cloud.
To power your services and deliver innovative and novel user experiences more quickly, the cloud provides on-demand access to:
- A nearly limitless pool of raw compute, storage, and networking components.
- Speech recognition and other cognitive services that help make your application stand out from the crowd.
- Analytics services that deliver telemetry data from your software and devices.
What is Azure?
Completed100 XP
- 9 minutes
Azure is a continually expanding set of cloud services that help your organization meet your current and future business challenges. Azure gives you the freedom to build, manage, and deploy applications on a massive global network using your favorite tools and frameworks.
What does Azure offer?
With help from Azure, you have everything you need to build your next great solution. The following table lists several of the benefits that Azure provides, so you can easily invent with purpose.
Be ready for the future: Continuous innovation from Microsoft supports your development today and your product visions for tomorrow.
Build on your terms: You have choices. With a commitment to open source, and support for all languages and frameworks, you can build how you want and deploy where you want to.
Operate hybrid seamlessly: On-premises, in the cloud, and at the edge–we’ll meet you where you are. Integrate and manage your environments with tools and services designed for a hybrid cloud solution.
Trust your cloud: Get security from the ground up, backed by a team of experts, and proactive compliance trusted by enterprises, governments, and startups.
What can I do with Azure?
Azure provides more than 100 services that enable you to do everything from running your existing applications on virtual machines, to exploring new software paradigms, such as intelligent bots and mixed reality.
Many teams start exploring the cloud by moving their existing applications to virtual machines that run in Azure. Migrating your existing apps to virtual machines is a good start, but the cloud is much more than a different place to run your virtual machines.
For example, Azure provides AI and machine-learning services that can naturally communicate with your users through vision, hearing, and speech. It also provides storage solutions that dynamically grow to accommodate massive amounts of data. Azure services enable solutions that aren’t feasible without the power of the cloud.
How does Azure work?
What is the Azure portal?
The Azure portal is a web-based, unified console that provides an alternative to command-line tools. With the Azure portal, you can manage your Azure subscription by using a graphical user interface. You can:
- Build, manage, and monitor everything from simple web apps to complex cloud deployments.
- Create custom dashboards for an organized view of resources.
- Configure accessibility options for an optimal experience.
The Azure portal is designed for resiliency and continuous availability. It maintains a presence in every Azure datacenter. This configuration makes the Azure portal resilient to individual datacenter failures and avoids network slowdowns by being close to users. The Azure portal updates continuously and requires no downtime for maintenance activities.
What is Azure Marketplace?
Azure Marketplace helps connect users with Microsoft partners, independent software vendors, and startups that are offering their solutions and services, which are optimized to run on Azure. Azure Marketplace customers can find, try, purchase, and provision applications and services from hundreds of leading service providers. All solutions and services are certified to run on Azure.
The solution catalog spans several industry categories such as open-source container platforms, virtual machine images, databases, application build and deployment software, developer tools, threat detection, and blockchain. Using Azure Marketplace, you can provision end-to-end solutions quickly and reliably, hosted in your own Azure environment. At the time of writing, there are more than 8,000 listings.
Azure Marketplace is designed for IT pros and cloud developers interested in commercial and IT software. Microsoft partners also use it as a launch point for all joint go-to-market activities.
Tour of Azure services
Completed100 XP
- 11 minutes
Azure can help you tackle tough business challenges. You bring your requirements, creativity, and favorite software development tools. Azure brings a massive global infrastructure that’s always available for you to build your applications on.
Let’s take a quick tour of the high-level services Azure offers.
Azure overview
Azure services
Here’s a big-picture view of the available services and features in Azure.
Let’s take a closer look at the most commonly used categories:
- Compute
- Networking
- Storage
- Mobile
- Databases
- Web
- Internet of Things (IoT)
- Big data
- AI
- DevOps
Compute
Compute services are often one of the primary reasons why companies move to the Azure platform. Azure provides a range of options for hosting applications and services. Here are some examples of compute services in Azure.
Service name
Service function
Azure Virtual Machines
Windows or Linux virtual machines (VMs) hosted in Azure.
Azure Virtual Machine Scale Sets
Scaling for Windows or Linux VMs hosted in Azure.
Azure Kubernetes Service
Cluster management for VMs that run containerized services.
Azure Service Fabric
Distributed systems platform that runs in Azure or on-premises.
Azure Batch
Managed service for parallel and high-performance computing applications.
Azure Container Instances
Containerized apps run on Azure without provisioning servers or VMs.
Azure Functions
An event-driven, serverless compute service.
Networking
Linking compute resources and providing access to applications is the key function of Azure networking. Networking functionality in Azure includes a range of options to connect the outside world to services and features in the global Azure datacenters.
Here are some examples of networking services in Azure.
Service name
Service function
Azure Virtual Network
Connects VMs to incoming virtual private network (VPN) connections.
Azure Load Balancer
Balances inbound and outbound connections to applications or service endpoints.
Azure Application Gateway
Optimizes app server farm delivery while increasing application security.
Azure VPN Gateway
Accesses Azure Virtual Networks through high-performance VPN gateways.
Azure DNS
Provides ultra-fast DNS responses and ultra-high domain availability.
Azure Content Delivery Network
Delivers high-bandwidth content to customers globally.
Azure DDoS Protection
Protects Azure-hosted applications from distributed denial of service (DDOS) attacks.
Azure Traffic Manager
Distributes network traffic across Azure regions worldwide.
Azure ExpressRoute
Connects to Azure over high-bandwidth dedicated secure connections.
Azure Network Watcher
Monitors and diagnoses network issues by using scenario-based analysis.
Azure Firewall
Implements high-security, high-availability firewall with unlimited scalability.
Azure Virtual WAN
Creates a unified wide area network (WAN) that connects local and remote sites.
Storage
Azure provides four main types of storage services.
Service name
Service function
Azure Blob storage
Storage service for very large objects, such as video files or bitmaps.
Azure File storage
File shares that can be accessed and managed like a file server.
Azure Queue storage
A data store for queuing and reliably delivering messages between applications.
Azure Table storage
Table storage is a service that stores non-relational structured data (also known as structured NoSQL data) in the cloud, providing a key/attribute store with a schemaless design.
These services all share several common characteristics:
- Durable and highly available with redundancy and replication.
- Secure through automatic encryption and role-based access control.
- Scalable with virtually unlimited storage.
- Managed, handling maintenance and any critical problems for you.
- Accessible from anywhere in the world over HTTP or HTTPS.
Mobile
With Azure, developers can create mobile back-end services for iOS, Android, and Windows apps quickly and easily. Features that used to take time and increase project risks, such as adding corporate sign-in and then connecting to on-premises resources such as SAP, Oracle, SQL Server, and SharePoint, are now simple to include.
Other features of this service include:
- Offline data synchronization.
- Connectivity to on-premises data.
- Broadcasting push notifications.
- Autoscaling to match business needs.
Databases
Azure provides multiple database services to store a wide variety of data types and volumes. And with global connectivity, this data is available to users instantly.
Service name
Service function
Azure Cosmos DB
Globally distributed database that supports NoSQL options.
Azure SQL Database
Fully managed relational database with auto-scale, integral intelligence, and robust security.
Azure Database for MySQL
Fully managed and scalable MySQL relational database with high availability and security.
Azure Database for PostgreSQL
Fully managed and scalable PostgreSQL relational database with high availability and security.
SQL Server on Azure Virtual Machines
Service that hosts enterprise SQL Server apps in the cloud.
Azure Synapse Analytics
Fully managed data warehouse with integral security at every level of scale at no extra cost.
Azure Database Migration Service
Service that migrates databases to the cloud with no application code changes.
Azure Cache for Redis
Fully managed service caches frequently used and static data to reduce data and application latency.
Azure Database for MariaDB
Fully managed and scalable MariaDB relational database with high availability and security.
Web
Having a great web experience is critical in today’s business world. Azure includes first-class support to build and host web apps and HTTP-based web services. The following Azure services are focused on web hosting.
Service name
Description
Azure App Service
Quickly create powerful cloud web-based apps.
Azure Notification Hubs
Send push notifications to any platform from any back end.
Azure API Management
Publish APIs to developers, partners, and employees securely and at scale.
Azure Cognitive Search
Deploy this fully managed search as a service.
Web Apps feature of Azure App Service
Create and deploy mission-critical web apps at scale.
Azure SignalR Service
Add real-time web functionalities easily.
IoT
People are able to access more information than ever before. Personal digital assistants led to smartphones, and now there are smart watches, smart thermostats, and even smart refrigerators. Personal computers used to be the norm. Now the internet allows any item that’s online-capable to access valuable information. This ability for devices to garner and then relay information for data analysis is referred to as IoT.
Many services can assist and drive end-to-end solutions for IoT on Azure.
Service name
Description
IoT Central
Fully managed global IoT software as a service (SaaS) solution that makes it easy to connect, monitor, and manage IoT assets at scale.
Azure IoT Hub
Messaging hub that provides secure communications between and monitoring of millions of IoT devices.
IoT Edge
Fully managed service that allows data analysis models to be pushed directly onto IoT devices, which allows them to react quickly to state changes without needing to consult cloud-based AI models.
Big data
Data comes in all formats and sizes. When we talk about big data, we’re referring to large volumes of data. Data from weather systems, communications systems, genomic research, imaging platforms, and many other scenarios generate hundreds of gigabytes of data. This amount of data makes it hard to analyze and make decisions. It’s often so large that traditional forms of processing and analysis are no longer appropriate.
Open-source cluster technologies have been developed to deal with these large data sets. Azure supports a broad range of technologies and services to provide big data and analytic solutions.
Service name
Description
Azure Synapse Analytics
Run analytics at a massive scale by using a cloud-based enterprise data warehouse that takes advantage of massively parallel processing to run complex queries quickly across petabytes of data.
Azure HDInsight
Process massive amounts of data with managed clusters of Hadoop clusters in the cloud.
Azure Databricks
Integrate this collaborative Apache Spark-based analytics service with other big data services in Azure.
AI
AI, in the context of cloud computing, is based around a broad range of services, the core of which is machine learning. Machine learning is a data science technique that allows computers to use existing data to forecast future behaviors, outcomes, and trends. Using machine learning, computers learn without being explicitly programmed.
Forecasts or predictions from machine learning can make apps and devices smarter. For example, when you shop online, machine learning helps recommend other products you might like based on what you’ve purchased. Or when your credit card is swiped, machine learning compares the transaction to a database of transactions and helps detect fraud. And when your robot vacuum cleaner vacuums a room, machine learning helps it decide whether the job is done.
Here are some of the most common AI and machine learning service types in Azure.
Service name
Description
Azure Machine Learning Service
Cloud-based environment you can use to develop, train, test, deploy, manage, and track machine learning models. It can auto-generate a model and auto-tune it for you. It will let you start training on your local machine, and then scale out to the cloud.
Azure ML Studio
Collaborative visual workspace where you can build, test, and deploy machine learning solutions by using prebuilt machine learning algorithms and data-handling modules.
A closely related set of products are the cognitive services. You can use these prebuilt APIs in your applications to solve complex problems.
Service name
Description
Vision
Use image-processing algorithms to smartly identify, caption, index, and moderate your pictures and videos.
Speech
Convert spoken audio into text, use voice for verification, or add speaker recognition to your app.
Knowledge mapping
Map complex information and data to solve tasks such as intelligent recommendations and semantic search.
Bing Search
Add Bing Search APIs to your apps and harness the ability to comb billions of webpages, images, videos, and news with a single API call.
Natural Language processing
Allow your apps to process natural language with prebuilt scripts, evaluate sentiment, and learn how to recognize what users want.
DevOps
DevOps brings together people, processes, and technology by automating software delivery to provide continuous value to your users. With Azure DevOps, you can create build and release pipelines that provide continuous integration, delivery, and deployment for your applications. You can integrate repositories and application tests, perform application monitoring, and work with build artifacts. You can also work with and backlog items for tracking, automate infrastructure deployment, and integrate a range of third-party tools and services such as Jenkins and Chef. All of these functions and many more are closely integrated with Azure to allow for consistent, repeatable deployments for your applications to provide streamlined build and release processes.
Service name
Description
Azure DevOps
Use development collaboration tools such as high-performance pipelines, free private Git repositories, configurable Kanban boards, and extensive automated and cloud-based load testing. Formerly known as Visual Studio Team Services.
Azure DevTest Labs
Quickly create on-demand Windows and Linux environments to test or demo applications directly from deployment pipelines.
Get started with Azure accounts
Completed100 XP
- 4 minutes
To create and use Azure services, you need an Azure subscription. When you’re completing Learn modules, most of the time a temporary subscription is created for you, which runs in an environment called the Learn sandbox. When you’re working with your own applications and business needs, you need to create an Azure account, and a subscription will be created for you. After you’ve created an Azure account, you’re free to create additional subscriptions. For example, your company might use a single Azure account for your business and separate subscriptions for development, marketing, and sales departments. After you’ve created an Azure subscription, you can start creating Azure resources within each subscription.
If you’re new to Azure, you can sign up for a free account on the Azure website to start exploring at no cost to you. When you’re ready, you can choose to upgrade your free account. You can create a new subscription that enables you to start paying for Azure services you need to use that are beyond the limits of a free account.
Create an Azure account
You can purchase Azure access directly from Microsoft by signing up on the Azure website or through a Microsoft representative. You can also purchase Azure access through a Microsoft partner. Cloud Solution Provider partners offer a range of complete managed-cloud solutions for Azure.
For more information on how to create an Azure account, see the Create an Azure account learning module.
What is the Azure free account?
The Azure free account includes:
- Free access to popular Azure products for 12 months.
- A credit to spend for the first 30 days.
- Access to more than 25 products that are always free.
The Azure free account is an excellent way for new users to get started and explore. To sign up, you need a phone number, a credit card, and a Microsoft or GitHub account. The credit card information is used for identity verification only. You won’t be charged for any services until you upgrade to a paid subscription.
What is the Azure free student account?
The Azure free student account offer includes:
- Free access to certain Azure services for 12 months.
- A credit to use in the first 12 months.
- Free access to certain software developer tools.
The Azure free student account is an offer for students that gives $100 credit and free developer tools. Also, you can sign up without a credit card.
What is the Learn sandbox?
Many of the Learn exercises use a technology called the sandbox, which creates a temporary subscription that’s added to your Azure account. This temporary subscription allows you to create Azure resources for the duration of a Learn module. Learn automatically cleans up the temporary resources for you after you’ve completed the module.
When you’re completing a Learn module, you’re welcome to use your personal subscription to complete the exercises in a module. The sandbox is the preferred method to use though, because it allows you to create and test Azure resources at no cost to you.
Case study introduction
Completed100 XP
- 2 minutes
Throughout the Azure Fundamentals learning paths, we’ll work with Tailwind Traders, a fictitious home improvement retailer. It operates retail hardware stores across the globe and online.
Tailwind Traders currently manages an on-premises datacenter that hosts the company’s retail website. The datacenter also stores all of the data and streaming video for its applications. The IT department is currently responsible for all of the management tasks for its computing hardware and software. For example, let’s suppose that you work as an IT specialist for the company’s IT department. Your IT team handles the procurement process to buy new hardware, installs and configures software, and deploys everything throughout the datacenter.
These management responsibilities create some obstacles for delivering your applications to your users in a timely fashion. As an IT pro, you realize it would be advantageous to have servers, storage, databases, and other services immediately available when you develop and deploy applications. You want to easily start a new server or add services to your solutions.
In the other units of this learning module, you’ve learned about some of the cloud-based services that Tailwind Traders can use to address its technology challenges. With that in mind, the services that are available through Azure can help Tailwind Traders conduct its business more efficiently.
As you complete the various modules in the Azure Fundamentals learning paths, we’ll analyze the challenges that Tailwind Traders is facing. You’ll see how you can use Azure services to address each of the issues as they arise. After you’ve completed each of the modules, the knowledge that you gained from resolving the hypothetical challenges that the fictional Tailwind Traders company encountered should benefit you in your real-world environments.
Introduction
Completed100 XP
- 1 minute
IoT bridges the physical and digital worlds by enabling devices with sensors and an internet connection to communicate with cloud-based systems via the internet.
Tailwind Traders sees many opportunities to use Azure IoT services across many different facets of their operations, from new product development to logistics and point-of-sale.
In this module, you’ll help Tailwind Traders select the right Azure IoT service offering for its business scenarios. By evaluating the services in relation to a set of decision criteria, you’ll learn about what the various services do, how they’re different or complementary, and when to use one or the other.
Learning objectives
After you’ve completed this module, you’ll be able to:
- Choose the Azure IoT service that best addresses your business scenario.
Prerequisites
- Familiarity with basic computing concepts and terminology
- Familiarity with cloud computing is helpful but not necessary
Identify the product options
Completed100 XP
- 7 minutes
IoT enables devices to gather and then relay information for data analysis. Smart devices are equipped with sensors that collect data. A few common sensors that measure attributes of the physical world include:
- Environmental sensors that capture temperature and humidity levels.
- Barcode, QR code, or optical character recognition (OCR) scanners.
- Geo-location and proximity sensors.
- Light, color, and infrared sensors.
- Sound and ultrasonic sensors.
- Motion and touch sensors.
- Accelerometer and tilt sensors.
- Smoke, gas, and alcohol sensors.
- Error sensors to detect when there’s a problem with the device.
- Mechanical sensors that detect anomalies or deformations.
- Flow, level, and pressure sensors for measuring gasses and liquids.
By using Azure IoT services, devices that are equipped with these kinds of sensors and that can connect to the internet could send their sensor readings to a specific endpoint in Azure via a message. The message’s data is then collected and aggregated, and it can be converted into reports and alerts. Alternately, all devices could be updated with new firmware to fix issues or add new functionality by sending software updates from Azure IoT services to each device.
Let’s suppose your company manufactures and operates smart refrigerated vending machines. What kinds of information would you want to monitor? You might want to ensure that:
- Each machine is operating without any errors.
- The machines haven’t been compromised.
- The machines’ refrigeration systems are keeping their contents within a certain temperature range.
- You’re notified when products reach a certain inventory level so you can restock the machines.
If the hardware of your vending machines can collect and send this information in a standard message, the messages each machine sends can be received, stored, organized, and displayed by using Azure IoT services.
The data that’s collected from these devices could be combined with Azure AI services to help you predict:
- When machines need proactive maintenance.
- When inventories will need to be replenished and new product ordered from vendors.
Many services can assist and drive end-to-end solutions for IoT on Azure.
Azure IoT Hub
Azure IoT Hub is a managed service that’s hosted in the cloud and that acts as a central message hub for bi-directional communication between your IoT application and the devices it manages. You can use Azure IoT Hub to build IoT solutions with reliable and secure communications between millions of IoT devices and a cloud-hosted solution back end. You can connect virtually any device to your IoT hub.
The IoT Hub service supports communications both from the device to the cloud and from the cloud to the device. It also supports multiple messaging patterns, such as device-to-cloud telemetry, file upload from devices, and request-reply methods to control your devices from the cloud. After an IoT hub receives messages from a device, it can route that message to other Azure services.
From a cloud-to-device perspective, IoT Hub allows for command and control. That is, you can have either manual or automated remote control of connected devices, so you can instruct the device to open valves, set target temperatures, restart stuck devices, and so on.
IoT Hub monitoring helps you maintain the health of your solution by tracking events such as device creation, device failures, and device connections.
Azure IoT Central
Azure IoT Central builds on top of IoT Hub by adding a dashboard that allows you to connect, monitor, and manage your IoT devices. The visual user interface (UI) makes it easy to quickly connect new devices and watch as they begin sending telemetry or error messages. You can watch the overall performance across all devices in aggregate, and you can set up alerts that send notifications when a specific device needs maintenance. Finally, you can push firmware updates to the device.
To help you get up and running quickly, IoT Central provides starter templates for common scenarios across various industries, such as retail, energy, healthcare, and government. You then customize the design starter templates directly in the UI by choosing from existing themes or creating your own custom theme, setting the logo, and so on. With IoT Central, you can tailor the starter templates for the specific data that’s sent from your devices, the reports you want to see, and the alerts you want to send.
You can use the UI to control your devices remotely. This feature allows you to push a software update or modify a property of the device. You can adjust the desired temperature for one or all of your refrigerated vending machines from directly inside of IoT Central.
A key part of IoT Central is the use of device templates. By using a device template, you can connect a device without any service-side coding. IoT Central uses the templates to construct the dashboards, alerts, and so on. Device developers still need to create code to run on the devices, and that code must match the device template specification.
Azure Sphere
Azure Sphere creates an end-to-end, highly secure IoT solution for customers that encompasses everything from the hardware and operating system on the device to the secure method of sending messages from the device to the message hub. Azure Sphere has built-in communication and security features for internet-connected devices.
Azure Sphere comes in three parts:
- The first part is the Azure Sphere micro-controller unit (MCU), which is responsible for processing the operating system and signals from attached sensors. The following image displays the Seeed Azure Sphere MT3620 Development Kit MCU, one of several different starter kits that are available for prototyping and developing Azure Sphere applications.
- The second part is a customized Linux operating system (OS) that handles communication with the security service and can run the vendor’s software.
- The third part is Azure Sphere Security Service, also known as AS3. Its job is to make sure that the device has not been maliciously compromised. When the device attempts to connect to Azure, it first must authenticate itself, per device, which it does by using certificate-based authentication. If it authenticates successfully, AS3 checks to ensure that the device hasn’t been tampered with. After it has established a secure channel of communication, AS3 pushes any OS or approved customer-developed software updates to the device.
After the Azure Sphere system has validated the authenticity of the device and authenticated it, the device can interact with other Azure IoT services by sending telemetry and error information.
Analyze the decision criteria
Completed100 XP
- 3 minutes
In this unit, we’ll analyze the criteria that experts employ when they decide which IoT service to use for a given business need. Understanding the criteria can also help you better understand the nuanced differences between each product.
Is it critical to ensure that the device is not compromised?
Not in every case. Manufacturers and customers would rather not have their devices to be maliciously compromised and used for nefarious purposes, however in some cases it’s more critical to ensure the integrity than others. An example would be that of an ATM in comparison to a washing machine. When security is a critical consideration in your product’s design, the best product option is Azure Sphere, which provides a comprehensive end-to-end solution for IoT devices.
As we mentioned in the previous unit, Azure Sphere ensures a secure channel of communication between the device and Azure by controlling everything from the hardware to the operating system and the authentication process. This ensures that the integrity of the device is uncompromised. After a secure channel is established, messages can be received from the device securely, and messages or software updates can be sent to the device remotely.
Do I need a dashboard for reporting and management?
Your next decision will be the level of services you require from your IoT solution. If you merely want to connect to your remote devices to receive telemetry and occasionally push updates, and you don’t need any reporting capabilities, you might prefer to implement Azure IoT Hub by itself. Your programmers can still create a customized set of management tools and reports by using the IoT Hub RESTful API.
However, if you want a pre-built customizable user interface with which you can view and control your devices remotely, you might prefer to start with IoT Central. With this solution, you can control a single device or all devices at once, and you can set up alerts for certain conditions, such as a device failure.
IoT Central integrates with many different Azure products, including IoT Hub, to create a dashboard with reports and management features. The dashboard is based on starter templates for common industry and usage scenarios. You can use the dashboard that’s generated by the starter template as is or customize it to suit your needs. You can have multiple dashboards and target them at a variety of users.
Use IoT Hub
Completed100 XP
- 4 minutes
The Tailwind Traders senior leadership team has decided to partner with a leading appliance manufacturer to create an exclusive, high-end brand that promises a preemptive maintenance service agreement. This unique feature would differentiate Tailwind Traders appliances in a crowded, competitive market. The feature also makes the brand lucrative, because a yearly subscription would be required. To build a strong brand reputation, the appliances will send telemetry information to a centralized location, where the data can be analyzed and maintenance can be scheduled.
The devices will not require remote control. They will merely be sending their telemetry data for analysis and pro-active maintenance.
Because Tailwind Traders already has software in place for managing appliance maintenance requests, the company wants to integrate all functionality into this existing system.
Which service should you choose?
Let’s apply the decision criteria from the previous unit.
First, is it critical to ensure that the device or, in this case, each appliance, isn’t compromised? It’s preferable, but not critical, that the devices aren’t compromised. The worst that could happen is that a hacker reads the current temperature of the customer’s refrigerator or the number of loads of laundry the washing machine has completed.
Even if the customer calls and reports strange behavior with their appliance, a technician could reset or replace the microcontroller. It might not warrant the extra expense or engineering resources that would be required to employ Azure Sphere.
Second decision criterion: do I need a dashboard for reporting and management? In this case, no. Tailwind Traders wants to integrate the telemetry data and all other functionality into an existing maintenance request system. In this case, Azure IoT Central is not required.
So, given the responses to the decision criteria, Azure IoT Hub is the best choice in this scenario.
Why not use Azure IoT Central?
Azure IoT Central provides a dashboard that allows companies to manage IoT devices individually and an aggregate, view reports, and set up error notifications via a GUI. But, in this scenario, Tailwind Traders wants to integrate the telemetry it collects and other analysis functionality into an existing software application. Furthermore, the company’s appliances will be collecting data via sensors only and don’t need the ability to update settings or software remotely. Therefore, the company doesn’t need Azure IoT Central.
Why not use Azure Sphere?
Azure Sphere provides a complete solution for scenarios where security is critical. In this scenario, security is preferred but not critical. The appliances can’t be updated with new software remotely. The sensors merely report usage data. As a result, Azure Sphere isn’t necessary.
Use IoT Central
Completed100 XP
- 4 minutes
Tailwind Traders owns a fleet of delivery vehicles that transport products from warehouses to distribution centers, and from distribution centers to stores and homes. The company is looking for a complete logistics solution that takes data sent from an onboard vehicle computer and turns it into actionable information.
Furthermore, shipments can be outfitted with sensors from a third-party vendor to collect and monitor ambient conditions. These sensors can collect information such as the temperature, humidity, tilt, shock, light, and the location of a shipment.
A few goals of this logistics system include:
- Shipment monitoring with real-time tracing and tracking.
- Shipment integrity with real-time ambient condition monitoring.
- Security from theft, loss, or damage of shipments.
- Geo-fencing, route optimization, fleet management, and vehicle analytics.
- Forecasting for predictable departure and arrival of shipments.
The company would prefer a pre-built solution to collect the sensor and vehicle computer data, and provide a graphical user interface that displays reports about shipments and vehicles.
Which service should you choose?
Here again, apply the decision criteria that you learned about earlier.
First, is it critical to ensure that the device or, in this case, each appliance, isn’t compromised? Ideally, each sensor and vehicle computer would be impervious to interference. However, security was not mentioned as a critical concern at this point. The vehicle computers and sensors are built by a third-party vendor and, unless Tailwind Traders wants to manufacture its own devices (which they don’t), the company will be forced to use hardware that’s already available.
Second, does Tailwind Traders need a dashboard for reporting and management? Yes, a reporting and management dashboard is a requirement.
Based on these responses to the decision criteria, Azure IoT Central is the best choice in this scenario. The Connected Logistics starter template provides an out-of-box dashboard that will satisfy many of these requirements. This dashboard is preconfigured to showcase the critical logistics device operations activity. Admittedly, the dashboard might need to be reconfigured to remove sea vessel gateways, but the truck gateway functionality would be almost exactly what Tailwind Traders needs.
Why not use IoT Hub?
If Tailwind Traders uses IoT Central, the company would actually be using an IoT hub that’s preconfigured for its specific needs by the Connected Logistics starter template. Otherwise, the company would need to do a lot of custom development to build its own cloud-based dashboards and management systems on top of Azure IoT Hub.
Why not use Azure Sphere?
Azure Sphere provides a complete solution for scenarios where security is critical. In this scenario, security is ideal, but not a critical priority. Although Azure Sphere provides an end-to-end solution that includes hardware, Tailwind Traders will use hardware from a third-party vendor. So, in this scenario, Azure Sphere is not necessary.
Use Azure Sphere
Completed100 XP
- 4 minutes
Tailwind Traders wants to implement a touchless point-of-sale solution for self-checkout. The self-checkout terminals should be, above all else, secure. Each terminal must be impervious to malicious code that could create fraudulent transactions, force the company to take the systems offline during a heavy shopping period, or send transactional data to a spying organization. The terminals should also report back vital information on the company’s health and allow secure updates to its software remotely.
After reviewing many possible solutions during a request for proposal process, Tailwind Traders decides that it needs features that vendors have yet to implement. Instead of using an existing solution, the company decides to work with a leading engineering firm that specializes in IoT solutions. This approach allows the company to build a uniquely secure terminal that gives it a retail platform to build on going forward.
Although most of the company’s focus is on the terminal itself, Tailwind Traders realizes that it wants a solution that can help it make sense of all the data that will be generated by these terminals across all of its retail stores. And it wants an easy way to push software updates to its terminals.
Which service should you choose?
Again, apply the decision criteria as you’ve been doing.
First, is it critical to ensure that the device or, in this case, each point-of-sale terminal, is not compromised? Absolutely. Device security is the primary requirement.
Next, does Tailwind Traders need a dashboard for reporting and management? Yes, the company requires a reporting and management dashboard.
So, given the responses to the decision criteria, the IoT engineering firm will build a platform on top of both Azure IoT Central and Azure Sphere. Even though no specific starter template is available in Azure IoT Central for this scenario, one can easily be adapted to accommodate the kinds of reports the company wants to see and the management operations it wants to perform.
Why not choose IoT Hub?
By using IoT Central, Tailwind Traders would actually be using Azure IoT Hub behind the scenes as well.
Summary
Completed100 XP
- 1 minute
Our goal in this module was to help Tailwind Traders explore various IoT services from Azure and choose the best service for the company’s business scenarios.
Tailwind Traders was able to capture telemetry data from appliances, combine it with some machine learning to predict future maintenance, and create a significant value-added service for customers by using Azure IoT Hub. The company was able to implement a complete real-time logistics system to track deliveries and vehicles by using Azure IoT Central and the Connected Logistics starter template. And, finally, it was able to design and build a secure, modern, point-of-sale self-checkout terminal by using Azure Sphere.
Without Azure IoT services, receiving messages from devices might still be possible, but it would likely be much less secure and require custom development to implement a dashboard for reporting and management. It would also be more difficult to push software or firmware updates to each device.
IoT is an exciting evolution in computing that bridges the physical and digital worlds. Azure IoT services provide a significant amount of functionality for organizations that want to build device-driven and sensor-driven solutions.
Further reading
Azure Sphere development kits provide everything you need to start prototyping and developing Azure Sphere applications. Order a kit and start taking advantage of the rich development experience in Visual Studio. Get started with Azure Sphere.
Introduction
Completed100 XP
- 1 minute
IoT bridges the physical and digital worlds by enabling devices with sensors and an internet connection to communicate with cloud-based systems via the internet.
Tailwind Traders sees many opportunities to use Azure IoT services across many different facets of their operations, from new product development to logistics and point-of-sale.
In this module, you’ll help Tailwind Traders select the right Azure IoT service offering for its business scenarios. By evaluating the services in relation to a set of decision criteria, you’ll learn about what the various services do, how they’re different or complementary, and when to use one or the other.
Learning objectives
After you’ve completed this module, you’ll be able to:
- Choose the Azure IoT service that best addresses your business scenario.
Prerequisites
- Familiarity with basic computing concepts and terminology
- Familiarity with cloud computing is helpful but not necessary
Identify the product options
Completed100 XP
- 7 minutes
IoT enables devices to gather and then relay information for data analysis. Smart devices are equipped with sensors that collect data. A few common sensors that measure attributes of the physical world include:
- Environmental sensors that capture temperature and humidity levels.
- Barcode, QR code, or optical character recognition (OCR) scanners.
- Geo-location and proximity sensors.
- Light, color, and infrared sensors.
- Sound and ultrasonic sensors.
- Motion and touch sensors.
- Accelerometer and tilt sensors.
- Smoke, gas, and alcohol sensors.
- Error sensors to detect when there’s a problem with the device.
- Mechanical sensors that detect anomalies or deformations.
- Flow, level, and pressure sensors for measuring gasses and liquids.
By using Azure IoT services, devices that are equipped with these kinds of sensors and that can connect to the internet could send their sensor readings to a specific endpoint in Azure via a message. The message’s data is then collected and aggregated, and it can be converted into reports and alerts. Alternately, all devices could be updated with new firmware to fix issues or add new functionality by sending software updates from Azure IoT services to each device.
Let’s suppose your company manufactures and operates smart refrigerated vending machines. What kinds of information would you want to monitor? You might want to ensure that:
- Each machine is operating without any errors.
- The machines haven’t been compromised.
- The machines’ refrigeration systems are keeping their contents within a certain temperature range.
- You’re notified when products reach a certain inventory level so you can restock the machines.
If the hardware of your vending machines can collect and send this information in a standard message, the messages each machine sends can be received, stored, organized, and displayed by using Azure IoT services.
The data that’s collected from these devices could be combined with Azure AI services to help you predict:
- When machines need proactive maintenance.
- When inventories will need to be replenished and new product ordered from vendors.
Many services can assist and drive end-to-end solutions for IoT on Azure.
Azure IoT Hub
Azure IoT Hub is a managed service that’s hosted in the cloud and that acts as a central message hub for bi-directional communication between your IoT application and the devices it manages. You can use Azure IoT Hub to build IoT solutions with reliable and secure communications between millions of IoT devices and a cloud-hosted solution back end. You can connect virtually any device to your IoT hub.
The IoT Hub service supports communications both from the device to the cloud and from the cloud to the device. It also supports multiple messaging patterns, such as device-to-cloud telemetry, file upload from devices, and request-reply methods to control your devices from the cloud. After an IoT hub receives messages from a device, it can route that message to other Azure services.
From a cloud-to-device perspective, IoT Hub allows for command and control. That is, you can have either manual or automated remote control of connected devices, so you can instruct the device to open valves, set target temperatures, restart stuck devices, and so on.
IoT Hub monitoring helps you maintain the health of your solution by tracking events such as device creation, device failures, and device connections.
Azure IoT Central
Azure IoT Central builds on top of IoT Hub by adding a dashboard that allows you to connect, monitor, and manage your IoT devices. The visual user interface (UI) makes it easy to quickly connect new devices and watch as they begin sending telemetry or error messages. You can watch the overall performance across all devices in aggregate, and you can set up alerts that send notifications when a specific device needs maintenance. Finally, you can push firmware updates to the device.
To help you get up and running quickly, IoT Central provides starter templates for common scenarios across various industries, such as retail, energy, healthcare, and government. You then customize the design starter templates directly in the UI by choosing from existing themes or creating your own custom theme, setting the logo, and so on. With IoT Central, you can tailor the starter templates for the specific data that’s sent from your devices, the reports you want to see, and the alerts you want to send.
You can use the UI to control your devices remotely. This feature allows you to push a software update or modify a property of the device. You can adjust the desired temperature for one or all of your refrigerated vending machines from directly inside of IoT Central.
A key part of IoT Central is the use of device templates. By using a device template, you can connect a device without any service-side coding. IoT Central uses the templates to construct the dashboards, alerts, and so on. Device developers still need to create code to run on the devices, and that code must match the device template specification.
Azure Sphere
Azure Sphere creates an end-to-end, highly secure IoT solution for customers that encompasses everything from the hardware and operating system on the device to the secure method of sending messages from the device to the message hub. Azure Sphere has built-in communication and security features for internet-connected devices.
Azure Sphere comes in three parts:
- The first part is the Azure Sphere micro-controller unit (MCU), which is responsible for processing the operating system and signals from attached sensors. The following image displays the Seeed Azure Sphere MT3620 Development Kit MCU, one of several different starter kits that are available for prototyping and developing Azure Sphere applications.
- The second part is a customized Linux operating system (OS) that handles communication with the security service and can run the vendor’s software.
- The third part is Azure Sphere Security Service, also known as AS3. Its job is to make sure that the device has not been maliciously compromised. When the device attempts to connect to Azure, it first must authenticate itself, per device, which it does by using certificate-based authentication. If it authenticates successfully, AS3 checks to ensure that the device hasn’t been tampered with. After it has established a secure channel of communication, AS3 pushes any OS or approved customer-developed software updates to the device.
After the Azure Sphere system has validated the authenticity of the device and authenticated it, the device can interact with other Azure IoT services by sending telemetry and error information.
Analyze the decision criteria
Completed100 XP
- 3 minutes
In this unit, we’ll analyze the criteria that experts employ when they decide which IoT service to use for a given business need. Understanding the criteria can also help you better understand the nuanced differences between each product.
Is it critical to ensure that the device is not compromised?
Not in every case. Manufacturers and customers would rather not have their devices to be maliciously compromised and used for nefarious purposes, however in some cases it’s more critical to ensure the integrity than others. An example would be that of an ATM in comparison to a washing machine. When security is a critical consideration in your product’s design, the best product option is Azure Sphere, which provides a comprehensive end-to-end solution for IoT devices.
As we mentioned in the previous unit, Azure Sphere ensures a secure channel of communication between the device and Azure by controlling everything from the hardware to the operating system and the authentication process. This ensures that the integrity of the device is uncompromised. After a secure channel is established, messages can be received from the device securely, and messages or software updates can be sent to the device remotely.
Do I need a dashboard for reporting and management?
Your next decision will be the level of services you require from your IoT solution. If you merely want to connect to your remote devices to receive telemetry and occasionally push updates, and you don’t need any reporting capabilities, you might prefer to implement Azure IoT Hub by itself. Your programmers can still create a customized set of management tools and reports by using the IoT Hub RESTful API.
However, if you want a pre-built customizable user interface with which you can view and control your devices remotely, you might prefer to start with IoT Central. With this solution, you can control a single device or all devices at once, and you can set up alerts for certain conditions, such as a device failure.
IoT Central integrates with many different Azure products, including IoT Hub, to create a dashboard with reports and management features. The dashboard is based on starter templates for common industry and usage scenarios. You can use the dashboard that’s generated by the starter template as is or customize it to suit your needs. You can have multiple dashboards and target them at a variety of users.
Use IoT Hub
Completed100 XP
- 4 minutes
The Tailwind Traders senior leadership team has decided to partner with a leading appliance manufacturer to create an exclusive, high-end brand that promises a preemptive maintenance service agreement. This unique feature would differentiate Tailwind Traders appliances in a crowded, competitive market. The feature also makes the brand lucrative, because a yearly subscription would be required. To build a strong brand reputation, the appliances will send telemetry information to a centralized location, where the data can be analyzed and maintenance can be scheduled.
The devices will not require remote control. They will merely be sending their telemetry data for analysis and pro-active maintenance.
Because Tailwind Traders already has software in place for managing appliance maintenance requests, the company wants to integrate all functionality into this existing system.
Which service should you choose?
Let’s apply the decision criteria from the previous unit.
First, is it critical to ensure that the device or, in this case, each appliance, isn’t compromised? It’s preferable, but not critical, that the devices aren’t compromised. The worst that could happen is that a hacker reads the current temperature of the customer’s refrigerator or the number of loads of laundry the washing machine has completed.
Even if the customer calls and reports strange behavior with their appliance, a technician could reset or replace the microcontroller. It might not warrant the extra expense or engineering resources that would be required to employ Azure Sphere.
Second decision criterion: do I need a dashboard for reporting and management? In this case, no. Tailwind Traders wants to integrate the telemetry data and all other functionality into an existing maintenance request system. In this case, Azure IoT Central is not required.
So, given the responses to the decision criteria, Azure IoT Hub is the best choice in this scenario.
Why not use Azure IoT Central?
Azure IoT Central provides a dashboard that allows companies to manage IoT devices individually and an aggregate, view reports, and set up error notifications via a GUI. But, in this scenario, Tailwind Traders wants to integrate the telemetry it collects and other analysis functionality into an existing software application. Furthermore, the company’s appliances will be collecting data via sensors only and don’t need the ability to update settings or software remotely. Therefore, the company doesn’t need Azure IoT Central.
Why not use Azure Sphere?
Azure Sphere provides a complete solution for scenarios where security is critical. In this scenario, security is preferred but not critical. The appliances can’t be updated with new software remotely. The sensors merely report usage data. As a result, Azure Sphere isn’t necessary.
Use IoT Central
Completed100 XP
- 4 minutes
Tailwind Traders owns a fleet of delivery vehicles that transport products from warehouses to distribution centers, and from distribution centers to stores and homes. The company is looking for a complete logistics solution that takes data sent from an onboard vehicle computer and turns it into actionable information.
Furthermore, shipments can be outfitted with sensors from a third-party vendor to collect and monitor ambient conditions. These sensors can collect information such as the temperature, humidity, tilt, shock, light, and the location of a shipment.
A few goals of this logistics system include:
- Shipment monitoring with real-time tracing and tracking.
- Shipment integrity with real-time ambient condition monitoring.
- Security from theft, loss, or damage of shipments.
- Geo-fencing, route optimization, fleet management, and vehicle analytics.
- Forecasting for predictable departure and arrival of shipments.
The company would prefer a pre-built solution to collect the sensor and vehicle computer data, and provide a graphical user interface that displays reports about shipments and vehicles.
Which service should you choose?
Here again, apply the decision criteria that you learned about earlier.
First, is it critical to ensure that the device or, in this case, each appliance, isn’t compromised? Ideally, each sensor and vehicle computer would be impervious to interference. However, security was not mentioned as a critical concern at this point. The vehicle computers and sensors are built by a third-party vendor and, unless Tailwind Traders wants to manufacture its own devices (which they don’t), the company will be forced to use hardware that’s already available.
Second, does Tailwind Traders need a dashboard for reporting and management? Yes, a reporting and management dashboard is a requirement.
Based on these responses to the decision criteria, Azure IoT Central is the best choice in this scenario. The Connected Logistics starter template provides an out-of-box dashboard that will satisfy many of these requirements. This dashboard is preconfigured to showcase the critical logistics device operations activity. Admittedly, the dashboard might need to be reconfigured to remove sea vessel gateways, but the truck gateway functionality would be almost exactly what Tailwind Traders needs.
Why not use IoT Hub?
If Tailwind Traders uses IoT Central, the company would actually be using an IoT hub that’s preconfigured for its specific needs by the Connected Logistics starter template. Otherwise, the company would need to do a lot of custom development to build its own cloud-based dashboards and management systems on top of Azure IoT Hub.
Why not use Azure Sphere?
Azure Sphere provides a complete solution for scenarios where security is critical. In this scenario, security is ideal, but not a critical priority. Although Azure Sphere provides an end-to-end solution that includes hardware, Tailwind Traders will use hardware from a third-party vendor. So, in this scenario, Azure Sphere is not necessary.
Use Azure Sphere
Completed100 XP
- 4 minutes
Tailwind Traders wants to implement a touchless point-of-sale solution for self-checkout. The self-checkout terminals should be, above all else, secure. Each terminal must be impervious to malicious code that could create fraudulent transactions, force the company to take the systems offline during a heavy shopping period, or send transactional data to a spying organization. The terminals should also report back vital information on the company’s health and allow secure updates to its software remotely.
After reviewing many possible solutions during a request for proposal process, Tailwind Traders decides that it needs features that vendors have yet to implement. Instead of using an existing solution, the company decides to work with a leading engineering firm that specializes in IoT solutions. This approach allows the company to build a uniquely secure terminal that gives it a retail platform to build on going forward.
Although most of the company’s focus is on the terminal itself, Tailwind Traders realizes that it wants a solution that can help it make sense of all the data that will be generated by these terminals across all of its retail stores. And it wants an easy way to push software updates to its terminals.
Which service should you choose?
Again, apply the decision criteria as you’ve been doing.
First, is it critical to ensure that the device or, in this case, each point-of-sale terminal, is not compromised? Absolutely. Device security is the primary requirement.
Next, does Tailwind Traders need a dashboard for reporting and management? Yes, the company requires a reporting and management dashboard.
So, given the responses to the decision criteria, the IoT engineering firm will build a platform on top of both Azure IoT Central and Azure Sphere. Even though no specific starter template is available in Azure IoT Central for this scenario, one can easily be adapted to accommodate the kinds of reports the company wants to see and the management operations it wants to perform.
Why not choose IoT Hub?
By using IoT Central, Tailwind Traders would actually be using Azure IoT Hub behind the scenes as well.
Introduction
Completed100 XP
- 1 minute
Artificial Intelligence (AI) is a category of computing that adapts and improves its decision-making ability over time based on its successes and failures. Microsoft Azure provides several AI solutions to choose from, each one depending on the problem you’re trying to solve.
Tailwind Traders, a traditional brick-and-mortar retailer that has experienced explosive online sales growth, faces exciting challenges as it seeks to improve its e-commerce and service operations. Microsoft’s AI services might be a good fit for one of the company’s new initiatives, but Tailwind Traders needs help to better understand which product option is best for each scenario.
In this module, you’ll learn about the various Microsoft AI services, and you’ll analyze the decision criteria that experts use to select the right service for a specified scenario.
Learning objectives
After completing this module, you’ll be able to:
- Choose the Azure AI services that best address your company’s business challenges.
Prerequisites
- Familiarity with the concept of application programming interfaces, or APIs. Programmers use APIs to interact with the functionality that’s contained in code libraries.
- Familiarity with the following additional concepts:
- Web API: An API that’s accessible from servers that accept requests via HTTP.
- Web API endpoint: The location of the code library.
- REST API: The design of the URL style that’s used to expose the API’s functionality.
Identify the product options
Completed100 XP
- 5 minutes
AI is a broad classification of computing that allows a software system to perceive its environment and take action that maximizes its chance of successfully achieving its goals. A goal of AI is to create a software system that’s able to adapt, or learn something on its own without being explicitly programmed to do it.
There are two basic approaches to AI. The first is to employ a deep learning system that’s modeled on the neural network of the human mind, enabling it to discover, learn, and grow through experience.
The second approach is machine learning, a data science technique that uses existing data to train a model, test it, and then apply the model to new data to forecast future behaviors, outcomes, and trends.
Forecasts or predictions from machine learning can make apps and devices smarter. For example, when you shop online, machine learning powers product recommendation systems that offer additional products based on what you’ve bought and what other shoppers have bought who have purchased similar items in the past.
Machine learning is also used to detect credit card fraud by analyzing each new transaction and using what it has learned from analyzing millions of fraudulent transactions.
Virtually every device or software system that collects textual, visual, and audio data could feed a machine learning model that makes that device or software system smarter about how it functions in the future.
Azure product options
At a high level, there are three primary product offerings from Microsoft, each of which is designed for a specific audience and use case. Each option provides a diverse set of tools, services, and programmatic APIs. In this module, we’ll merely scratch the surface of the options’ capabilities.
Azure Machine Learning
Azure Machine Learning is a platform for making predictions. It consists of tools and services that allow you to connect to data to train and test models to find one that will most accurately predict a future result. After you’ve run experiments to test the model, you can deploy and use it in real time via a web API endpoint.
With Azure Machine Learning, you can:
- Create a process that defines how to obtain data, how to handle missing or bad data, how to split the data into either a training set or test set, and deliver the data to the training process.
- Train and evaluate predictive models by using tools and programming languages familiar to data scientists.
- Create pipelines that define where and when to run the compute-intensive experiments that are required to score the algorithms based on the training and test data.
- Deploy the best-performing algorithm as an API to an endpoint so it can be consumed in real time by other applications.
Choose Azure Machine Learning when your data scientists need complete control over the design and training of an algorithm using your own data. The following video discusses the basic steps required to set up a machine learning system.
Azure Cognitive Services
Azure Cognitive Services provides prebuilt machine learning models that enable applications to see, hear, speak, understand, and even begin to reason. Use Azure Cognitive Services to solve general problems, such as analyzing text for emotional sentiment or analyzing images to recognize objects or faces. You don’t need special machine learning or data science knowledge to use these services. Developers access Azure Cognitive Services via APIs and can easily include these features in just a few lines of code.
While Azure Machine Learning requires you to bring your own data and train models over that data, Azure Cognitive Services, for the most part, provides pretrained models so that you can bring in your live data to get predictions on.
Azure Cognitive Services can be divided into the following categories:
- Language services: Allow your apps to process natural language with prebuilt scripts, evaluate sentiment, and learn how to recognize what users want.
- Speech services: Convert speech into text and text into natural-sounding speech. Translate from one language to another and enable speaker verification and recognition.
- Vision services: Add recognition and identification capabilities when you’re analyzing pictures, videos, and other visual content.
- Decision services: Add personalized recommendations for each user that automatically improve each time they’re used, moderate content to monitor and remove offensive or risky content, and detect abnormalities in your time series data.
Azure Bot Service
Azure Bot Service and Bot Framework are platforms for creating virtual agents that understand and reply to questions just like a human. Azure Bot Service is a bit different from Azure Machine Learning and Azure Cognitive Services in that it has a specific use case. Namely, it creates a virtual agent that can intelligently communicate with humans. Behind the scenes, the bot you build uses other Azure services, such as Azure Cognitive Services, to understand what their human counterparts are asking for.
Bots can be used to shift simple, repetitive tasks, such as taking a dinner reservation or gathering profile information, on to automated systems that might no longer require direct human intervention. Users converse with a bot by using text, interactive cards, and speech. A bot interaction can be a quick question and answer, or it can be a sophisticated conversation that intelligently provides access to services.
Analyze the decision criteria
Completed100 XP
- 4 minutes
In this unit, you’ll analyze the criteria that experts employ when they choose an AI service for a specific business need. Understanding the criteria can also help you better understand the nuanced differences among the products.
Are you building a virtual agent that interfaces with humans via natural language?
Use Azure Bot Service when you need to create a virtual agent to interact with humans by using natural language. Bot Service integrates knowledge sources, natural language processing, and form factors to allow interaction across different channels.
Bot Service solutions usually rely on other AI services for such things as natural language understanding or even translation for localizing replies into a customer’s preferred language.
Before you jump in to build a custom chat experience by using Bot Service, it might make sense to search for prebuilt, no-code solutions that cover common scenarios. For example, you can use QnA Maker, which is available from Azure Marketplace, to build, train, and publish a sophisticated bot that uses FAQ pages, support websites, product manuals, SharePoint documents, or editorial content through an easy-to-use UI or via REST APIs.
Likewise, Power Virtual Agents integrates with Microsoft Power Platform so that you can use hundreds of prebuilt connectors for data input. You can extend Power Virtual Agents by building custom workflows with Power Automate, and if you feel that the out-of-the-box experience is too limiting, you can still build more complex interactions with Microsoft Bot Framework.
Do you need a service that can understand the content and meaning of images, video, or audio, or that can translate text into a different language?
Use Azure Cognitive Services when it comes to general purpose tasks, such as performing speech to text, integrating with search, or identifying the objects in an image. Azure Cognitive Services is general purpose, meaning that many different kinds of customers can benefit from the work that Microsoft has already done to train and test these models and offer them inexpensively at scale.
Do you need to predict user behavior or provide users with personalized recommendations in your app?
The Azure Cognitive Services Personalizer service watches your users’ actions within an application. You can use Personalizer to predict their behavior and provide relevant experiences as it identifies usage patterns. Here again, you could capture and store user behavior and create your own custom Azure Machine Learning solution to do these things, but this approach would require much effort and expense.
Will your app predict future outcomes based on private historical data?
Choose Azure Machine Learning when you need to analyze data to predict future outcomes. For example, suppose you need to analyze years’ worth of financial transactions to discover new patterns that could help you create new products and services for your company’s clients and then offer those new services during routine customer service calls. When you’re working with proprietary data, you’ll likely need to build a more custom-tailored machine learning model.
Do you need to build a model by using your own data or perform a different task than those listed above?
Use Azure Machine Learning for maximum flexibility. Data scientists and AI engineers can use the tools they’re familiar with and the data you provide to develop deep learning and machine learning models that are tuned for your particular requirements.
Use Machine Learning for decision support systems
Completed100 XP
- 3 minutes
The Tailwind Traders e-commerce website allows its customers to browse and purchase items that can be delivered or picked up from a retail store nearest to their location.
The Marketing team is convinced that it can increase sales dramatically by suggesting add-on products that complement the items in a shopper’s cart at the point of checkout. The team could hard-code these suggestions, but it feels that a more organic approach would be to use its years’ worth of sales data as well as new shopping trends to decide what products to display to the shopper. Additionally, the suggestions could be influenced by product availability, product profitability, and other factors.
The Marketing team’s existing data science experts have already done some initial analysis of the problem domain, and have determined that its plan might take months to prototype, and possibly a year to roll out.
Which service should you choose?
Let’s apply the decision criteria you learned about in the preceding unit to find the right option.
First, is Tailwind Traders building a virtual agent that interfaces with humans via natural language? No, it is not, so Azure Bot Service is not a good candidate for this scenario.
Second, does Tailwind Traders need a service that can understand the content and meaning of images, video, audio, or translate text into a different language? No, it doesn’t, so the relevant Cognitive Services will not help the company.
Third, does Tailwind Traders need to predict user behavior or provide users with personalized recommendations? Yes, it does. However, creating recommendations based on user behavior is only part of the requirement. Tailwind Traders needs to create a complex model that incorporates historical sales data, trending sales data, inventory, and more. It’s possible that the Azure Cognitive Services Personalizer service could play a role, but it couldn’t handle the entire breadth of the project alone.
Fourth, will the Tailwind Traders app predict future outcomes based on private historical data? Yes, and that is why in this scenario, Azure Machine Learning is likely the best choice.
The success of this effort would depend primarily on the ability of the model to select precisely the right up-sale products to suggest to the shopper. Because the model would need to be tweaked and tuned over time, an off-the-shelf model would likely not suffice.
Finally, it sounds like the Marketing team already employs some data science experts, and the team is willing to make at least a year-long commitment to building, testing, and tweaking the models to be used.
Use Cognitive Services for data analysis
Completed100 XP
- 3 minutes
The first generation of the Tailwind Traders e-commerce website was available exclusively in English. However, when the Marketing team sponsored a demographics study for the company’s brick-and-mortar locations, it found that, on average, only 80 percent of potential customers speak English. In some neighborhoods, that number falls to 50 percent. The team sees the addition of multiple languages as a wonderful opportunity to serve non-English speakers with the same online e-commerce experience as English speakers.
Which service should you choose?
As in the preceding unit, apply the decision criteria you learned about earlier to find the right option.
First, is Tailwind Traders building a virtual agent that interfaces with humans via natural language? No, it is not, so Azure Bot Service is not a good candidate for this scenario. However, should Tailwind Traders ever implement a customer service agent, it might want to consider using the Translator API to provide real-time translation to help customers who are not English speakers.
Second, does Tailwind Traders need a service that can understand the content and meaning of images, video, audio, or translate text into a different language? Yes, it does. Translating textual content from one language into another is a general purpose task that you can simplify by using the Azure Cognitive Services Translator service. The service is easy to integrate into your applications, websites, tools, and solutions. It allows you to add multilanguage user experiences in more than 60 languages, and you can use it on any hardware platform with any operating system for text-to-text language translation.
Azure Cognitive Services is likely the best option for this scenario, but let’s continue applying the decision criteria to make sure.
Third, does Tailwind Traders need to predict user behavior or provide users with personalized recommendations? No, it doesn’t, so the Azure Cognitive Services Personalizer is not a good candidate for this scenario.
Finally, will the Tailwind Traders app need to predict future outcomes based on private historical data? No. Although it’s possible to create a Machine Learning model for multilanguage translation, it would be expensive and time consuming for Tailwind Traders to attempt to build translation models themselves. The team has neither the deep learning competency nor the linguistic data that’s required to train the models.
Now that you’ve examined all the expert criteria, you can confidently select Cognitive Services as the best product option for this scenario.
Use Bot Service for interactive chat experiences
Completed100 XP
- 3 minutes
The Customer Service team has long asked for a virtual agent to handle the vast majority of questions it gets asked. No matter how prominent it makes the answers to the most frequently asked questions on the website, shoppers are impatient and perceive contact in a chat window as saving them time.
The team wants shoppers to feel as though they’re interacting with a real human. When it becomes clear that the virtual agent can’t provide an answer, the chat session should be transferred to a human.
Providing a virtual agent would decrease the amount of time it takes for all shoppers to receive answers. The virtual agent could answer most questions, which would free up human customer service agents to provide support for more difficult questions or thorny account-related issues.
Which service should you choose?
Once again, apply the decision criteria you’re now familiar with to find the right product.
First, is Tailwind Traders building a virtual agent that interfaces with humans via natural language? Yes, it is. Azure Bot Service should be used in this scenario to implement a virtual agent chat experience. Bot Service could benefit from the information on the website’s Frequently Asked Questions page, along with thousands of chat sessions that have been stored between shoppers and customer service representatives. Customer Service supervisors can test and tweak the answers to continue to refine the chat experience.
Even though you’ve likely found the best option for this scenario, keep applying the decision criteria to see whether any additional options might work.
Second, does Tailwind Traders need a service that can understand the content and meaning of images, video, audio, or translate text into a different language? Possibly, yes. In this scenario, Azure Cognitive Services could be used along with Bot Service to build the solution. To expedite implementation, the developers could explore using prebuilt solutions, such as QnA Maker (part of Cognitive Services) or Power Virtual Agents. Also, any Azure Bot solution would likely implement several Azure Cognitive Services, such as Language Understanding (LUIS) and possibly Translator, to translate from the shopper’s language to English and back again.
Third, does Tailwind Traders need to predict user behavior or provide users with personalized recommendations? No, it doesn’t. Azure Cognitive Services Personalizer is not a good candidate for this scenario.
Finally, will the Tailwind Traders app need to predict future outcomes based on private historical data? No. Although Tailwind Traders does have historical data to feed into a model, which would make it possible to use Azure Machine Learning to create a chat solution, another option is already tailored for the chat bot experience.
Summary
Completed100 XP
- 1 minute
Our goal in this module was to help Tailwind Traders explore several AI service offerings from Azure that it can apply to various business opportunities.
You identified a few product options and their capabilities, including Azure Bot Service, Azure Cognitive Services, and Azure Machine Learning. You analyzed certain decision criteria to help yourself choose one option over another depending on the scenario. Then you applied those decision criteria to three Tailwind Traders initiatives, helping the company find the best service option for each scenario.
Without AI services, Tailwind Traders would spend more time and effort on manual tasks, respond to customers less quickly, offer weak product recommendations, and be unable to fully support customers who speak languages other than English.
AI is one focus that could transform every area of a business. Such transformation is limited only by the creativity and imagination of the organization.
Learn more
This module discussed several products and services that you can learn more about:
- For an exhaustive list of services available in Azure Cognitive Services, see What are Azure Cognitive Services?.
- The Cognitive Services Personalizer service was mentioned as a possible solution for one of the scenarios. For more information, see Cognitive Services Personalizer.
- Azure Language Understanding (LUIS) was mentioned as a way to interact with the Bot Service by using natural language. For more information, see Azure Language Understanding.
- QnA Maker was mentioned as a pre-packaged virtual assistant solution available from Azure Marketplace. For more information, see QnA Maker.
Introduction
Completed100 XP
- 1 minute
In this module, you’ll learn about some of the security tools that can help keep your infrastructure and data safe when you work in the cloud.
Security is a small word for a significant concept. There are so many factors to consider in order to protect your applications and your data. How does Azure help you protect workloads that you run in the cloud and in your on-premises datacenter?
Meet Tailwind Traders
Tailwind Traders is a fictitious home improvement retailer. It operates retail hardware stores across the globe and online.
Tailwind Traders specializes in competitive pricing, fast shipping, and a large range of items. It’s looking at cloud technologies to improve business operations and support growth into new markets. By moving to the cloud, the company plans to enhance its shopping experience to further differentiate itself from competitors.
How will Tailwind Traders run securely in the cloud and in the datacenter?
Tailwind Traders runs a mix of workloads on Azure and in its datacenter.
The company needs to ensure that all of its systems meet a minimum level of security, and that its information is protected from attacks. The company also needs a way to collect and act on security events from across its digital estate.
Let’s explore how Tailwind Traders can use some of the tools and features in Azure as part of its overall security strategy.
Learning objectives
After completing this module, you’ll be able to:
- Strengthen your security posture and protect against threats by using Azure Security Center.
- Collect and act on security data from many different sources by using Azure Sentinel.
- Store and access sensitive information such as passwords and encryption keys securely in Azure Key Vault.
- Manage dedicated physical servers to host your Azure VMs for Windows and Linux by using Azure Dedicated Host.
Prerequisites
- You should be familiar with basic computing concepts and terminology.
- Familiarity with cloud computing is helpful but isn’t necessary.
Protect against security threats by using Azure Security Center
Completed100 XP
- 6 minutes
Tailwind Traders is broadening its use of Azure services. It still has on-premises workloads with current security-related configuration best practices and business procedures. How does the company ensure that all of its systems meet a minimum level of security and that its information is protected from attacks?
Many Azure services include built-in security features. Tools on Azure can also help Tailwind Traders with this requirement. Let’s start by looking at Azure Security Center.
What’s Azure Security Center?
Azure Security Center is a monitoring service that provides visibility of your security posture across all of your services, both on Azure and on-premises. The term security posture refers to cybersecurity policies and controls, as well as how well you can predict, prevent, and respond to security threats.
Security Center can:
- Monitor security settings across on-premises and cloud workloads.
- Automatically apply required security settings to new resources as they come online.
- Provide security recommendations that are based on your current configurations, resources, and networks.
- Continuously monitor your resources and perform automatic security assessments to identify potential vulnerabilities before those vulnerabilities can be exploited.
- Use machine learning to detect and block malware from being installed on your virtual machines (VMs) and other resources. You can also use adaptive application controls to define rules that list allowed applications to ensure that only applications you allow can run.
- Detect and analyze potential inbound attacks and investigate threats and any post-breach activity that might have occurred.
- Provide just-in-time access control for network ports. Doing so reduces your attack surface by ensuring that the network only allows traffic that you require at the time that you need it to.
This short video explains how Security Center can help harden your networks, secure and monitor your cloud resources, and improve your overall security posture.
Understand your security posture
Tailwind Traders can use Security Center to get a detailed analysis of different components in its environment. Because the company’s resources are analyzed against the security controls of any governance policies it has assigned, it can view its overall regulatory compliance from a security perspective all from one place.
See the following example of what you might see in Azure Security Center.
Let’s say that Tailwind Traders must comply with the Payment Card Industry’s Data Security Standard (PCI DSS). This report shows that the company has resources that it needs to remediate.
In the Resource security hygiene section, Tailwind Traders can see the health of its resources from a security perspective. To help prioritize remediation actions, recommendations are categorized as low, medium, and high. Here’s an example.
What’s secure score?
Secure score is a measurement of an organization’s security posture.
Secure score is based on security controls, or groups of related security recommendations. Your score is based on the percentage of security controls that you satisfy. The more security controls you satisfy, the higher the score you receive. Your score improves when you remediate all of the recommendations for a single resource within a control.
Here’s an example from the Azure portal showing a score of 57 percent, or 34 out of 60 points.
Following the secure score recommendations can help protect your organization from threats. From a centralized dashboard in Azure Security Center, organizations can monitor and work on the security of their Azure resources like identities, data, apps, devices, and infrastructure.
Secure score helps you:
- Report on the current state of your organization’s security posture.
- Improve your security posture by providing discoverability, visibility, guidance, and control.
- Compare with benchmarks and establish key performance indicators (KPIs).
Protect against threats
Security Center includes advanced cloud defense capabilities for VMs, network security, and file integrity. Let’s look at how some of these capabilities apply to Tailwind Traders.
- Just-in-time VM access Tailwind Traders will configure just-in-time access to VMs. This access blocks traffic by default to specific network ports of VMs, but allows traffic for a specified time when an admin requests and approves it.
- Adaptive application controls Tailwind Traders can control which applications are allowed to run on its VMs. In the background, Security Center uses machine learning to look at the processes running on a VM. It creates exception rules for each resource group that holds the VMs and provides recommendations. This process provides alerts that inform the company about unauthorized applications that are running on its VMs.
- Adaptive network hardening Security Center can monitor the internet traffic patterns of the VMs, and compare those patterns with the company’s current network security group (NSG) settings. From there, Security Center can make recommendations about whether the NSGs should be locked down further and provide remediation steps.
- File integrity monitoring Tailwind Traders can also configure the monitoring of changes to important files on both Windows and Linux, registry settings, applications, and other aspects that might indicate a security attack.
Respond to security alerts
Tailwind Traders can use Security Center to get a centralized view of all of its security alerts. From there, the company can dismiss false alerts, investigate them further, remediate alerts manually, or use an automated response with a workflow automation.
Workflow automation uses Azure Logic Apps and Security Center connectors. The logic app can be triggered by a threat detection alert or by a Security Center recommendation, filtered by name or by severity. You can then configure the logic app to run an action, such as sending an email, or posting a message to a Microsoft Teams channel.
Detect and respond to security threats by using Azure Sentinel
Completed100 XP
- 4 minutes
Security management on a large scale can benefit from a dedicated security information and event management (SIEM) system. A SIEM system aggregates security data from many different sources (as long as those sources support an open-standard logging format). It also provides capabilities for threat detection and response.
Azure Sentinel is Microsoft’s cloud-based SIEM system. It uses intelligent security analytics and threat analysis.
Azure Sentinel capabilities
Azure Sentinel enables you to:
- Collect cloud data at scale Collect data across all users, devices, applications, and infrastructure, both on-premises and from multiple clouds.
- Detect previously undetected threats Minimize false positives by using Microsoft’s comprehensive analytics and threat intelligence.
- Investigate threats with artificial intelligence Examine suspicious activities at scale, tapping into years of cybersecurity experience from Microsoft.
- Respond to incidents rapidly Use built-in orchestration and automation of common tasks.
Connect your data sources
Tailwind Traders decides to explore the capabilities of Azure Sentinel. First, the company identifies and connects its data sources.
Azure Sentinel supports a number of data sources, which it can analyze for security events. These connections are handled by built-in connectors or industry-standard log formats and APIs.
- Connect Microsoft solutions Connectors provide real-time integration for services like Microsoft Threat Protection solutions, Microsoft 365 sources (including Office 365), Azure Active Directory, and Windows Defender Firewall.
- Connect other services and solutions Connectors are available for common non-Microsoft services and solutions, including AWS CloudTrail, Citrix Analytics (Security), Sophos XG Firewall, VMware Carbon Black Cloud, and Okta SSO.
- Connect industry-standard data sources Azure Sentinel supports data from other sources that use the Common Event Format (CEF) messaging standard, Syslog, or REST API.
Detect threats
Tailwind Traders needs to be notified when something suspicious occurs. It decides to use both built-in analytics and custom rules to detect threats.
Built in analytics use templates designed by Microsoft’s team of security experts and analysts based on known threats, common attack vectors, and escalation chains for suspicious activity. These templates can be customized and search across the environment for any activity that looks suspicious. Some templates use machine learning behavioral analytics that are based on Microsoft proprietary algorithms.
Custom analytics are rules that you create to search for specific criteria within your environment. You can preview the number of results that the query would generate (based on past log events) and set a schedule for the query to run. You can also set an alert threshold.
Investigate and respond
When Azure Sentinel detects suspicious events, Tailwind Traders can investigate specific alerts or incidents (a group of related alerts). With the investigation graph, the company can review information from entities directly connected to the alert, and see common exploration queries to help guide the investigation.
Here’s an example that shows what an investigation graph looks like in Azure Sentinel.
The company will also use Azure Monitor Workbooks to automate responses to threats. For example, it can set an alert that looks for malicious IP addresses that access the network and create a workbook that does the following steps:
- When the alert is triggered, open a ticket in the IT ticketing system.
- Send a message to the security operations channel in Microsoft Teams or Slack to make sure the security analysts are aware of the incident.
- Send all of the information in the alert to the senior network admin and to the security admin. The email message includes two user option buttons: Block or Ignore.
When an admin chooses Block, the IP address is blocked in the firewall, and the user is disabled in Azure Active Directory. When an admin chooses Ignore, the alert is closed in Azure Sentinel, and the incident is closed in the IT ticketing system.
The workbook continues to run after it receives a response from the admins.
Workbooks can be run manually or automatically when a rule triggers an alert.
Store and manage secrets by using Azure Key Vault
Completed100 XP
- 3 minutes
As Tailwind Traders builds its workloads in the cloud, it needs to carefully handle sensitive information such as passwords, encryption keys, and certificates. This information needs to be available for an application to function, but it might allow an unauthorized person access to application data.
Azure Key Vault is a centralized cloud service for storing an application’s secrets in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities.
What can Azure Key Vault do?
Azure Key Vault can help you:
- Manage secrets You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
- Manage encryption keys You can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys that are used to encrypt your data.
- Manage SSL/TLS certificates Key Vault enables you to provision, manage, and deploy your public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for both your Azure resources and your internal resources.
- Store secrets backed by hardware security modules (HSMs) These secrets and keys can be protected either by software or by FIPS 140-2 Level 2 validated HSMs.
Here’s an example that shows a certificate used for testing in Key Vault.
You’ll add a secret to Key Vault later in this module.
What are the benefits of Azure Key Vault?
The benefits of using Key Vault include:
- Centralized application secrets Centralizing the storage for your application secrets enables you to control their distribution, and reduces the chances that secrets are accidentally leaked.
- Securely stored secrets and keys Azure uses industry-standard algorithms, key lengths, and HSMs. Access to Key Vault requires proper authentication and authorization.
- Access monitoring and access control By using Key Vault, you can monitor and control access to your application secrets.
- Simplified administration of application secrets Key Vault makes it easier to enroll and renew certificates from public certificate authorities (CAs). You can also scale up and replicate content within regions and use standard certificate management tools.
- Integration with other Azure services You can integrate Key Vault with storage accounts, container registries, event hubs, and many more Azure services. These services can then securely reference the secrets stored in Key Vault.
Exercise – Manage a password in Azure Key Vault
Completed100 XP
- 5 minutes
This module requires a sandbox to complete. A sandbox gives you access to free resources. Your personal subscription will not be charged. The sandbox may only be used to complete training on Microsoft Learn. Use for any other reason is prohibited, and may result in permanent loss of access to the sandbox.
Microsoft provides this lab experience and related content for educational purposes. All presented information is owned by Microsoft and intended solely for learning about the covered products and services in this Microsoft Learn module.
In this exercise, you add a password to Azure Key Vault. A password is an example of sensitive information that you need to protect. You then read the password from Azure Key Vault to verify that the password is accessible.
In practice, there are several ways to add secrets to and read secrets from Key Vault. You can use the Azure portal, the Azure CLI, or Azure PowerShell. By using your favorite programming language, your applications can also securely access the secrets that they need.
Here, you create a secret in Key Vault by using the Azure portal. You then access the secret from the portal and from the Azure CLI in Azure Cloud Shell.
The Azure CLI is a way to work with Azure resources from the command line or from scripts. Cloud Shell is a browser-based shell experience to manage and develop Azure resources. Think of Cloud Shell as an interactive console that runs in the cloud.
Create a key vault
- Go to the Azure portal.
- On the Azure portal menu, or from the Home page, under Azure services, select Create a resource. The Create a resource pane appears.
- In the search bar, enter Key Vault, and then select Key Vault from the results. The Key Vault pane appears.
- Select Create. The Create a key vault pane appears.
- On the Basics tab, enter the following values for each setting.
Note
Replace NNN with a series of numbers. This helps ensure that the name of your key vault is unique.
Setting
Value
Project details
Subscription
Concierge Subscription
Resource group
[sandbox resource group name]
Instance details
Key vault name
my-keyvault-NNN where NNN is a unique identifier
Accept the remaining settings at their default values.
- Select Review + create, and after passing validation, select Create.
Wait for deployment to successfully complete. - Select Go to resource.
- Take note of some of the details about your key vault.
For example, the Vault URI field shows the URI that your application can use to access your vault from the REST API.
Here’s an example for a key vault that’s named my-keyvault-321: - As an optional step, on the left menu pane, under Settings, examine some of the other features.
Although they’re initially empty, here you’ll find places where you can store keys, secrets, and certificates.
Note
Your Azure subscription is the only one that’s authorized to access this vault. Under Settings, the Access policies feature enables you to configure access to the vault.
Add a password to the key vault
- On the left menu pane, under Settings, select Secrets. Your key vault pane appears.
- From the top menu bar, select Generate/Import. The Create a secret pane appears.
- Fill in the following values for each setting.
Setting
Value
Upload options
Manual
Name
MyPassword
Value
hVFkk96
Accept the remaining settings at their default values. Notice that you can specify properties such as the activation date and the expiration date. You can also disable access to the secret.
- Select Create.
Show the password
Here, you access the password from Key Vault two times. First, you access it from the Azure portal. Next, you access it from the Azure CLI.
- From your Key Vault/Secrets pane, select MyPassword. The MyPassword/Versions pane appears. You see that the current version is enabled.
- Select the current version. The Secret Version pane appears.
Under Secret Identifier, you see a URI that you can now use with applications to access the secret. Remember, only authorized applications can access this secret. - Select Show Secret Value. The unique value for this version of the password appears.
- From Cloud Shell, run this command.
Note
Replace my-keyvault-NNN with the name you used earlier.
Azure CLICopy
az keyvault secret show \
–name MyPassword \
–vault-name my-keyvault-NNN \
–query value \
–output tsv
You see the password in the output.
OutputCopy
hVFkk96
Good work! At this point, you have a key vault that contains a password secret that’s securely stored for use with your applications.
Clean up
The sandbox automatically cleans up your resources when you’re finished with this module.
When you’re working in your own subscription, it’s a good idea at the end of a project to identify whether you still need the resources you created. Resources left running can cost you money. You can delete resources individually or delete the resource group to delete the entire set of resources.
Host your Azure virtual machines on dedicated physical servers by using Azure Dedicated Host
Completed100 XP
- 2 minutes
On Azure, virtual machines (VMs) run on shared hardware that Microsoft manages. Although the underlying hardware is shared, your VM workloads are isolated from workloads that other Azure customers run.
Some organizations must follow regulatory compliance that requires them to be the only customer using the physical machine that hosts their virtual machines. Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and Linux.
Here’s a diagram that shows how VMs relate to dedicated hosts and host groups. A dedicated host is mapped to a physical server in an Azure datacenter. A host group is a collection of dedicated hosts.
What are the benefits of Azure Dedicated Host?
Azure Dedicated Host:
- Gives you visibility into, and control over, the server infrastructure that’s running your Azure VMs.
- Helps address compliance requirements by deploying your workloads on an isolated server.
- Lets you choose the number of processors, server capabilities, VM series, and VM sizes within the same host.
Availability considerations for Dedicated Host
After a dedicated host is provisioned, Azure assigns it to the physical server in Microsoft’s cloud datacenter.
For high availability, you can provision multiple hosts in a host group, and deploy your VMs across this group. VMs on dedicated hosts can also take advantage of maintenance control. This feature enables you to control when regular maintenance updates occur, within a 35-day rolling window.
Pricing considerations
You’re charged per dedicated host, independent of how many VMs you deploy to it. The host price is based on the VM family, type (hardware size), and region.
Software licensing, storage, and network usage are billed separately from the host and VMs. For more information. see Azure Dedicated Host pricing.
Knowledge check
200 XP
- 2 minutes
Consider the following scenario.
Tailwind Traders is moving its online payment system from its datacenter to the cloud. The payment system consists of virtual machines (VMs) and SQL Server databases.
Here are a few security requirements that the company identifies as it plans the migration:
- It wants to ensure a good security posture across all of its systems, both on Azure and on-premises.
- In the datacenter, access to VMs requires a TLS certificate. The company needs a place to safely store and manage its certificates.
Here are some additional requirements that relate to regulatory compliance:
- Tailwind Traders must store certain customer data on-premises, in its datacenter.
- For certain workloads, the company must be the only customer running VMs on the physical hardware.
- The company must only run approved business applications on each VM.
See the following diagram that shows the proposed architecture.
On Azure, Tailwind Traders will use both standard VMs and VMs that run on dedicated physical hardware. In the datacenter, the company will run VMs that can connect to databases within its internal network.
Choose the best response for each question. Then select Check your answers.
Summary
Completed100 XP
- 2 minutes
Tailwind Traders faces a number of security challenges. In today’s digital world, its needs aren’t unique.
Azure provides tools and services that can help you detect and act on important security events. It also provides ways to help keep your data safe, which can prevent security incidents from happening to begin with.
In this module, you learned about Azure services that relate to security. Here’s a brief summary:
- Azure Security Center provides visibility of your security posture across all of your services, both on Azure and on-premises.
- Azure Sentinel aggregates security data from many different sources, and provides additional capabilities for threat detection and response.
- Azure Key Vault stores your applications’ secrets, such as passwords, encryption keys, and certificates, in a single, central location.
- Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and Linux.
Learn more
Here are more resources to help you go further.
Azure Security Center
Take the Resolve security threats with Azure Security Center module to use the alert capabilities of Azure Security Center to watch for and respond to threats.
Then review the planning and operations guide to optimize your use of Security Center based on your organization’s security requirements and cloud management model.
Azure Sentinel
Design a holistic monitoring strategy on Azure goes into greater depth on how Azure Sentinel can help monitor and respond to security threats across your organization.
Also learn how to connect data sources to Azure Sentinel.
Azure Key Vault
Gain additional hands-on experience with Azure Key Vault in Manage secrets in your server apps with Azure Key Vault and Configure and manage secrets in Azure Key Vault.
Introduction
Completed100 XP
- 1 minute
Traditionally, protecting access to systems and data involved the on-premises network perimeter and physical access controls.
With people increasingly able to work from anywhere, plus the rise of bring your own device (BYOD) strategies, mobile applications, and cloud applications, many of those access points are now outside the company’s physical networks.
Identity has become the new primary security boundary. Accurately proving that someone is a valid user of your system, with an appropriate level of access, is critical to maintaining control of your data. This identity layer is now more often the target of attack than the network is.
Meet Tailwind Traders
Tailwind Traders is a fictitious home improvement retailer. It operates retail hardware stores across the globe and online.
Tailwind Traders specializes in competitive pricing, fast shipping, and a large range of items. It’s looking at cloud technologies to improve business operations and support growth into new markets. By moving to the cloud, the company plans to enhance its shopping experience to further differentiate itself from competitors.
How will Tailwind Traders secure access to its cloud applications?
The mobile workforce of Tailwind Traders is increasing, as are the number of applications that the company runs in the cloud.
Retail employees located around the world are issued tablet devices from which they can create orders for customers, track delivery schedules, and plan their work schedules.
Delivery drivers can use their own mobile devices to access scheduling and logistics applications. Some delivery drivers are permanent employees of Tailwind Traders. Others work on short-term contract.
Tailwind Traders uses Active Directory to secure its on-premises environment. It needs to ensure that only employees can sign in and access the company’s business applications. It also needs to ensure that short-term staff can access these applications only when they’re under active contract.
How can Azure Active Directory (Azure AD) help Tailwind Traders consistently secure all of its applications accessed from the intranet and from public networks?
Learning objectives
After completing this module, you’ll be able to:
- Explain the difference between authentication and authorization.
- Describe how Azure AD provides identity and access management.
- Explain the role that single sign-on (SSO), multifactor authentication, and Conditional Access play in managing user identity.
Prerequisites
- You should be familiar with basic computing concepts and terminology.
- Familiarity with cloud computing is helpful but isn’t necessary.
Compare authentication and authorization
Completed100 XP
- 2 minutes
Recall that Tailwind Traders must ensure that only employees can sign in and access its business applications.
Tailwind Traders also needs to ensure that employees can access only authorized applications. For example, all employees can access inventory and pricing software, but only store managers can access payroll and certain accounting software.
Two fundamental concepts that you need to understand when talking about identity and access are authentication (AuthN) and authorization (AuthZ).
Authentication and authorization both support everything else that happens. They occur sequentially in the identity and access process.
Let’s take a brief look at each.
What is authentication?
Authentication is the process of establishing the identity of a person or service that wants to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control. It establishes whether the user is who they say they are.
What is authorization?
Authentication establishes the user’s identity, but authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they’re allowed to access and what they can do with it.
How are authentication and authorization related?
Here’s a diagram that shows the relationship between authentication and authorization:
The identification card represents credentials that the user has to prove their identity (you’ll learn more about the types of credentials later in this module.) Once authenticated, authorization defines what kinds of applications, resources, and data that user can access.
What is Azure Active Directory?
Completed100 XP
- 5 minutes
In this part, you learn how Azure Active Directory (Azure AD) provides identity services that enable your users to sign in and access both Microsoft cloud applications and cloud applications that you develop. You also learn how Azure AD supports single sign-on (SSO).
Tailwind Traders already uses Active Directory to secure its on-premises environments. The company doesn’t want its users to have a different username and password to remember for accessing applications and data in the cloud. Can the company integrate its existing Active Directory instance with cloud identity services to create a seamless experience for its users?
Let’s start with how Azure AD compares to Active Directory.
How does Azure AD compare to Active Directory?
Active Directory is related to Azure AD, but they have some key differences.
Microsoft introduced Active Directory in Windows 2000 to give organizations the ability to manage multiple on-premises infrastructure components and systems by using a single identity per user.
For on-premises environments, Active Directory running on Windows Server provides an identity and access management service that’s managed by your own organization. Azure AD is Microsoft’s cloud-based identity and access management service. With Azure AD, you control the identity accounts, but Microsoft ensures that the service is available globally. If you’ve worked with Active Directory, Azure AD will be familiar to you.
When you secure identities on-premises with Active Directory, Microsoft doesn’t monitor sign-in attempts. When you connect Active Directory with Azure AD, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost. For example, Azure AD can detect sign-in attempts from unexpected locations or unknown devices.
Who uses Azure AD?
Azure AD is for:
- IT administrators
Administrators can use Azure AD to control access to applications and resources based on their business requirements.
- App developers
Developers can use Azure AD to provide a standards-based approach for adding functionality to applications that they build, such as adding SSO functionality to an app or enabling an app to work with a user’s existing credentials.
- Users
Users can manage their identities. For example, self-service password reset enables users to change or reset their password with no involvement from an IT administrator or help desk.
- Online service subscribers
Microsoft 365, Microsoft Office 365, Azure, and Microsoft Dynamics CRM Online subscribers are already using Azure AD.
A tenant is a representation of an organization. A tenant is typically separated from other tenants and has its own identity.
Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an Azure AD tenant.
Here’s a screenshot of what an IT administrator might see in the Azure portal when working with Active Directory:
What services does Azure AD provide?
Azure AD provides services such as:
- Authentication
This includes verifying identity to access applications and resources. It also includes providing functionality such as self-service password reset, multifactor authentication, a custom list of banned passwords, and smart lockout services.
- Single sign-on
SSO enables you to remember only one username and one password to access multiple applications. A single identity is tied to a user, which simplifies the security model. As users change roles or leave an organization, access modifications are tied to that identity, which greatly reduces the effort needed to change or disable accounts.
- Application management
You can manage your cloud and on-premises apps by using Azure AD. Features like Application Proxy, SaaS apps, the My Apps portal (also called the access panel), and single sign-on provide a better user experience.
- Device management
Along with accounts for individual people, Azure AD supports the registration of devices. Registration enables devices to be managed through tools like Microsoft Intune. It also allows for device-based Conditional Access policies to restrict access attempts to only those coming from known devices, regardless of the requesting user account.
What kinds of resources can Azure AD help secure?
Azure AD helps users access both external and internal resources.
External resources might include Microsoft Office 365, the Azure portal, and thousands of other software as a service (SaaS) applications.
Internal resources might include apps on your corporate network and intranet, along with any cloud applications developed within your organization.
What’s single sign-on?
Single sign-on enables a user to sign in one time and use that credential to access multiple resources and applications from different providers.
More identities mean more passwords to remember and change. Password policies can vary among applications. As complexity requirements increase, it becomes increasingly difficult for users to remember them. The more passwords a user has to manage, the greater the risk of a credential-related security incident.
Consider the process of managing all those identities. Additional strain is placed on help desks as they deal with account lockouts and password reset requests. If a user leaves an organization, tracking down all those identities and ensuring they are disabled can be challenging. If an identity is overlooked, this might allow access when it should have been eliminated.
With SSO, you need to remember only one ID and one password. Access across applications is granted to a single identity that’s tied to the user, which simplifies the security model. As users change roles or leave an organization, access is tied to a single identity. This change greatly reduces the effort needed to change or disable accounts. Using SSO for accounts makes it easier for users to manage their identities and increases your security capabilities.
You’ll find resources at the end of this module about how to enable SSO through Azure AD.
How can I connect Active Directory with Azure AD?
Connecting Active Directory with Azure AD enables you to provide a consistent identity experience to your users.
There are a few ways to connect your existing Active Directory installation with Azure AD. Perhaps the most popular method is to use Azure AD Connect.
Azure AD Connect synchronizes user identities between on-premises Active Directory and Azure AD. Azure AD Connect synchronizes changes between both identity systems, so you can use features like SSO, multifactor authentication, and self-service password reset under both systems. Self-service password reset prevents users from using known compromised passwords.
Here’s a diagram that shows how Azure AD Connect fits between on-premises Active Directory and Azure AD:
As Tailwind Traders integrates its existing Active Directory instance with Azure AD, it creates a consistent access model across its organization. Doing so greatly simplifies its ability to sign in to different applications, manage changes to user identities and control, and monitor and block unusual access attempts.
What are multifactor authentication and Conditional Access?
Completed100 XP
- 4 minutes
Tailwind Traders allows delivery drivers to use their own mobile devices to access scheduling and logistics applications. Some delivery drivers are permanent employees of Tailwind Traders. Others work on short-term contract. How can the IT department ensure that an access attempt is really from a valid Tailwind Traders worker?
In this part, you’ll learn about two processes that enable secure authentication: Azure AD Multi-Factor Authentication and Conditional Access. Let’s start with a brief look at what multifactor authentication is in general.
What’s multifactor authentication?
Multifactor authentication is a process where a user is prompted during the sign-in process for an additional form of identification. Examples include a code on their mobile phone or a fingerprint scan.
Think about how you sign in to websites, email, or online gaming services. In addition to your username and password, have you ever needed to enter a code that was sent to your phone? If so, you’ve used multifactor authentication to sign in.
Multifactor authentication provides additional security for your identities by requiring two or more elements to fully authenticate.
These elements fall into three categories:
- Something the user knows
This might be an email address and password.
- Something the user has
This might be a code that’s sent to the user’s mobile phone.
- Something the user is
This is typically some sort of biometric property, such as a fingerprint or face scan that’s used on many mobile devices.
Multifactor authentication increases identity security by limiting the impact of credential exposure (for example, stolen usernames and passwords). With multifactor authentication enabled, an attacker who has a user’s password would also need to have possession of their phone or their fingerprint to fully authenticate.
Compare multifactor authentication with single-factor authentication. Under single-factor authentication, an attacker would need only a username and password to authenticate. Multifactor authentication should be enabled wherever possible because it adds enormous benefits to security.
What’s Azure AD Multi-Factor Authentication?
Azure AD Multi-Factor Authentication is a Microsoft service that provides multifactor authentication capabilities. Azure AD Multi-Factor Authentication enables users to choose an additional form of authentication during sign-in, such as a phone call or mobile app notification.
These services provide Azure AD Multi-Factor Authentication capabilities:
- Azure Active Directory
The Azure Active Directory free edition enables Azure AD Multi-Factor Authentication for administrators with the global admin level of access, via the Microsoft Authenticator app, phone call, or SMS code. You can also enforce Azure AD Multi-Factor Authentication for all users via the Microsoft Authenticator app only, by enabling security defaults in your Azure AD tenant.
Azure Active Directory Premium (P1 or P2 licenses) allows for comprehensive and granular configuration of Azure AD Multi-Factor Authentication through Conditional Access policies (explained shortly).
- Multifactor authentication for Office 365
A subset of Azure AD Multi-Factor Authentication capabilities is part of your Office 365 subscription.
For more information on licenses and Azure AD Multi-Factor Authentication capabilities, see Available versions of Azure AD Multi-Factor Authentication.
What’s Conditional Access?
Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.
Conditional Access helps IT administrators:
- Empower users to be productive wherever and whenever.
- Protect the organization’s assets.
Conditional Access also provides a more granular multifactor authentication experience for users. For example, a user might not be challenged for second authentication factor if they’re at a known location. However, they might be challenged for a second authentication factor if their sign-in signals are unusual or they’re at an unexpected location.
During sign-in, Conditional Access collects signals from the user, makes decisions based on those signals, and then enforces that decision by allowing or denying the access request or challenging for a multifactor authentication response.
Here’s a diagram that illustrates this flow:
Here, the signal might be the user’s location, the user’s device, or the application that the user is trying to access.
Based on these signals, the decision might be to allow full access if the user is signing in from their usual location. If the user is signing in from an unusual location or a location that’s marked as high risk, then access might be blocked entirely or possibly granted after the user provides a second form of authentication.
Enforcement is the action that carries out the decision. For example, the action is to allow access or require the user to provide a second form of authentication.
When can I use Conditional Access?
Conditional Access is useful when you need to:
- Require multifactor authentication to access an application.
You can configure whether all users require multifactor authentication or only certain users, such as administrators.
You can also configure whether multifactor authentication applies to access from all networks or only untrusted networks.
- Require access to services only through approved client applications.
For example, you might want to allow users to access Office 365 services from a mobile device as long as they use approved client apps, like the Outlook mobile app.
- Require users to access your application only from managed devices.
A managed device is a device that meets your standards for security and compliance.
- Block access from untrusted sources, such as access from unknown or unexpected locations.
Conditional Access comes with a What If tool, which helps you plan and troubleshoot your Conditional Access policies. You can use this tool to model your proposed Conditional Access policies across recent sign-in attempts from your users to see what the impact would have been if those policies had been enabled. The What If tool enables you to test your proposed Conditional Access policies before you implement them.
Where is Conditional Access available?
To use Conditional Access, you need an Azure AD Premium P1 or P2 license. If you have a Microsoft 365 Business Premium license, you also have access to Conditional Access features.
Summary
Completed100 XP
- 2 minutes
Tailwind Traders needs to ensure that only its workforce can access its growing set of cloud applications, both from any location and from any device.
In building out its plan, Tailwind Traders learns that:
- Authentication (AuthN) establishes the user’s identity.
- Authorization (AuthZ) establishes the level of access that an authenticated user has.
- Single sign-on (SSO) enables a user to sign in one time and use that credential to access multiple resources and applications.
- Azure Active Directory (Azure AD) is a cloud-based identity and access management service. Azure AD enables an organization to control access to apps and resources based on its business requirements.
- Azure AD Multi-Factor Authentication provides additional security for identities by requiring two or more elements to fully authenticate. In general, multifactor authentication can include something the user knows, something the user has, and something the user is.
- Conditional Access is a tool that Azure AD uses to allow or deny access to resources based on identity signals such as the user’s location.
With these ideas in place, the software development and IT administrator teams can begin to replace their existing authentication systems with ones that use multiple factors and allow access to multiple applications.
Learn more
Here are more resources to help you go further:
- Compare Active Directory to Azure Active Directory
- Azure Active Directory
- What is single sign-on (SSO)?
- Azure Active Directory Seamless Single Sign-On
- What is Azure AD Connect?
- Azure AD Multi-Factor Authentication
- Azure AD Conditional Access
Introduction
Completed100 XP
- 3 minutes
In this module, you’ll learn about the major factors that influence the cost of running in the cloud. Along the way, you’ll get hands-on experience with some of the tools you can use to estimate the costs of running your workloads on Azure to help ensure that you stay within budget and use only the services that you need.
Meet Tailwind Traders
Tailwind Traders is a fictitious home improvement retailer. It operates retail hardware stores across the globe and online.
Tailwind Traders specializes in competitive pricing, fast shipping, and a large range of items. It’s looking at cloud technologies to improve business operations and support growth into new markets. By moving to the cloud, the company plans to enhance its shopping experience to further differentiate itself from competitors.
How will Tailwind Traders manage cloud costs?
Tailwind Traders is planning its migration to the cloud. The company has run a few successful proof-of-concept projects and wants to better understand how to manage its costs before it moves its workloads to Azure.
Running in the datacenter requires you to maintain a facility and purchase, power, cool, and maintain your servers. Running in the cloud presents new ways to think about your IT expenses.
To answer the question of how much it will cost, you need to understand the factors that influence cost. You also need to understand what tools are available to you to help estimate and manage your cloud spend.
Learning objectives
After completing this module, you’ll be able to:
- Use the Total Cost of Ownership Calculator to compare your current datacenter costs to running the same workloads on Azure.
- Describe the different ways you can purchase Azure products and services.
- Use the Pricing calculator to estimate the monthly cost of running your cloud workloads.
- Define some of the major factors that affect total cost, and apply recommended practices to minimize cost.
Prerequisites
- You should be familiar with basic computing concepts and terminology.
- Familiarity with cloud computing is helpful but isn’t necessary.
Compare costs by using the Total Cost of Ownership Calculator
Completed100 XP
- 5 minutes
Before Tailwind Traders takes its next steps toward migrating to the cloud, it wants to better understand what it spends today in its datacenter.
Having a firm understanding of where the company is today will give it a greater sense of what cloud migration means in terms of cost.
In this unit, you’ll see how the Total Cost of Ownership (TCO) Calculator can help you compare the cost of running in the datacenter versus running on Azure.
What’s the TCO Calculator?
The TCO Calculator helps you estimate the cost savings of operating your solution on Azure over time, instead of in your on-premises datacenter.
The term total cost of ownership is commonly used in finance. It can be hard to see all the hidden costs related to operating a technology capability on-premises. Software licenses and hardware are additional costs.
With the TCO Calculator, you enter the details of your on-premises workloads. Then you review the suggested industry average cost (which you can adjust) for related operational costs. These costs include electricity, network maintenance, and IT labor. You’re then presented with a side-by-side report. Using the report, you can compare those costs with the same workloads running on Azure.
The following image shows one example.
Note
You don’t need an Azure subscription to work with the TCO Calculator.
How does the TCO Calculator work?
Working with the TCO Calculator involves three steps:
- Define your workloads.
- Adjust assumptions.
- View the report.
Let’s take a closer look at each step.
Step 1: Define your workloads
First, you enter the specifications of your on-premises infrastructure into the TCO Calculator, based on these four categories:
- Servers
This category includes operating systems, virtualization methods, CPU cores, and memory (RAM).
- Databases
This category includes database types, server hardware, and the Azure service you want to use, which includes the expected maximum concurrent user sign-ins.
- Storage
This category includes storage type and capacity, which includes any backup or archive storage.
- Networking
This category includes the amount of network bandwidth you currently consume in your on-premises environment.
Step 2: Adjust assumptions
Next, you specify whether your current on-premises licenses are enrolled for Software Assurance, which can save you money by reusing those licenses on Azure. You also specify whether you need to replicate your storage to another Azure region for greater redundancy.
Then, you can see the key operating cost assumptions across several different areas, which vary among teams and organizations. These costs have been certified by Nucleus Research, an independent research company. For example, these costs include:
- Electricity price per kilowatt hour (KWh).
- Hourly pay rate for IT administration.
- Network maintenance cost as a percentage of network hardware and software costs.
To improve the accuracy of the TCO Calculator results, you adjust the values so that they match the costs of your current on-premises infrastructure.
Step 3: View the report
Choose a time frame between one and five years. the TCO Calculator generates a report that’s based on the information you’ve entered. Here’s an example:
For each category (compute, datacenter, networking, storage, and IT labor), you can also view a side-by-side comparison of the cost breakdown of operating those workloads on-premises versus operating them on Azure. Here’s an example:
You can download, share, or save this report to review later.
In the next unit, you’ll use the TCO Calculator to help the Tailwind Traders team understand their total costs.
Exercise – Compare sample workload costs by using the TCO Calculator
Completed100 XP
- 6 minutes
In this exercise, you use the Total Cost of Ownership (TCO) Calculator to compare the cost of running a sample workload in the datacenter versus on Azure.
Tailwind Traders is interested in moving some of its on-premises workloads to the cloud. But first, the Chief Financial Officer wants to understand more about moving from a relatively fixed cost structure to an ongoing monthly cost structure.
You’ve been tasked to investigate whether there are any potential cost savings in moving your European datacenter to the cloud over the next three years. You need to take into account all of the potentially hidden costs involved with operating on-premises and in the cloud.
Instead of manually collecting everything you think might be included, you use the TCO Calculator as a starting point. You adjust the provided cost assumptions to match Tailwind Traders’ on-premises environment.
Note
Remember, you don’t need an Azure subscription to work with the TCO Calculator.
Let’s say that:
- Tailwind Traders runs two sets, or banks, of 50 virtual machines (VMs) in each bank.
- The first bank of VMs runs Windows Server under Hyper-V virtualization.
- The second bank of VMs runs Linux under VMware virtualization.
- There’s also a storage area network (SAN) with 60 terabytes (TB) of disk storage.
- You consume an estimated 15 TB of outbound network bandwidth each month.
- There are also a number of databases involved, but for now, you’ll omit those details.
Recall that the TCO Calculator involves three steps:
Let’s see how Tailwind Traders’ existing workloads compare in the datacenter versus on Azure.
Define your workloads
Enter the specifications of your on-premises infrastructure into the TCO Calculator.
- Go to the TCO Calculator.
- Under Define your workloads, select Add server workload to create a row for your bank of Windows Server VMs.
- Under Servers, set the value for each of these settings:
Setting | Value |
Name | Servers: Windows VMs |
Workload | Windows/Linux Server |
Environment | Virtual Machines |
Operating system | Windows |
VMs | 50 |
Virtualization | Hyper-V |
Core(s) | 8 |
RAM (GB) | 16 |
Optimize by | CPU |
Windows Server 2008/2008 R2 | Off |
- Select Add server workload to create a second row for your bank of Linux VMs. Then specify these settings:
Setting | Value |
Name | Servers: Linux VMs |
Workload | Windows/Linux Server |
Environment | Virtual Machines |
Operating system | Linux |
VMs | 50 |
Virtualization | VMware |
Core(s) | 8 |
RAM (GB) | 16 |
Optimize by | CPU |
- Under Storage, select Add storage. Then specify these settings:
Setting | Value |
Name | Server Storage |
Storage type | Local Disk/SAN |
Disk type | HDD |
Capacity | 60 TB |
Backup | 120 TB |
Archive | 0 TB |
- Under Networking, set Outbound bandwidth to 15 TB.
- Select Next.
Adjust assumptions
Here, you specify your currency. For brevity, you leave the remaining fields at their default values.
In practice, you would adjust any cost assumptions and make any adjustments to match your current on-premises environment.
- At the top of the page, select your currency. This example uses US Dollar ($).
- Select Next.
View the report
Take a moment to review the generated report.
Remember, you’ve been tasked to investigate cost savings for your European datacenter over the next three years.
To make these adjustments:
- Set Timeframe to 3 Years.
- Set Region to North Europe.
Scroll to the summary at the bottom. You see a comparison of running your workloads in the datacenter versus on Azure. The prices you see might differ, but here’s an example of the cost savings you might expect.
Select Download to download or print a copy of the report in PDF format.
Great work. You now have the information that you can share with your Chief Financial Officer. If you need to make adjustments, you can revisit the TCO Calculator to generate a fresh report.
Purchase Azure services
Completed100 XP
- 8 minutes
In this unit, you learn how to purchase Azure services and get a sense for other factors that affect cost.
You meet with your Chief Financial Officer and some of the team leads. You learn about some assumptions you’ve missed. You were able to quickly update your total estimated spend through the Total Cost of Ownership (TCO) Calculator.
During the meeting, some new questions arose as the discussion moves toward cloud migration:
- What types of Azure subscriptions are available?
- How do we purchase Azure services?
- Does location or network traffic affect cost?
- What other factors affect the final cost?
- How can we get a more detailed estimate of the cost to run on Azure?
It’s important to learn how costs are generated in Azure so that you can understand how your purchasing and solution design decisions can impact your final cost. You agree to research these questions, so let’s review each one in greater detail.
What types of Azure subscriptions can I use?
You probably know that an Azure subscription provides you with access to Azure resources, such as virtual machines (VMs), storage, and databases. The types of resources you use impact your monthly bill.
Azure offers both free and paid subscription options to fit your needs and requirements. They are:
- Free trial
A free trial subscription provides you with 12 months of popular free services, a credit to explore any Azure service for 30 days, and more than 25 services that are always free. Your Azure services are disabled when the trial ends or when your credit expires for paid products, unless you upgrade to a paid subscription.
- Pay-as-you-go
A pay-as-you-go subscription enables you to pay for what you use by attaching a credit or debit card to your account. Organizations can apply for volume discounts and prepaid invoicing.
- Member offers
Your existing membership to certain Microsoft products and services might provide you with credits for your Azure account and reduced rates on Azure services. For example, member offers are available to Visual Studio subscribers, Microsoft Partner Network members, Microsoft for Startups members, and Microsoft Imagine members.
How do I purchase Azure services?
There are three main ways to purchase services on Azure. They are:
- Through an Enterprise Agreement
Larger customers, known as enterprise customers, can sign an Enterprise Agreement with Microsoft. This agreement commits them to spending a predetermined amount on Azure services over a period of three years. The service fee is typically paid annually. As an Enterprise Agreement customer, you’ll receive the best customized pricing based on the kinds and amounts of services you plan on using.
- Directly from the web
Here, you purchase Azure services directly from the Azure portal website and pay standard prices. You’re billed monthly, as a credit card payment or through an invoice. This purchasing method is known as Web Direct.
- Through a Cloud Solution Provider
A Cloud Solution Provider (CSP) is a Microsoft Partner who helps you build solutions on top of Azure. Your CSP bills you for your Azure usage at a price they determine. They also answer your support questions and escalate them to Microsoft, as needed.
You can bring up, or provision, Azure resources from the Azure portal or from the command line. The Azure portal arranges products and services by category. You select the services that fit your needs. Your account is billed according to Azure’s “pay for what you use” model.
Here’s an example that shows the Azure portal.
At the end of each month, you’re billed for what you’ve used. At any time, you can check the cost management and billing page in the Azure portal to get a summary of your current usage and review invoices from prior months.
What factors affect cost?
The way you use resources, your subscription type, and pricing from third-party vendors are common factors. Let’s take a quick look at each.
Resource type
A number of factors influence the cost of Azure resources. They depend on the type of resource or how you customize it.
For example, with a storage account you specify a type (such as block blob storage or table storage), a performance tier (standard or premium), and an access tier (hot, cool, or archive). These selections present different costs.
Usage meters
When you provision a resource, Azure creates meters to track usage of that resource. Azure uses these meters to generate a usage record that’s later used to help calculate your bill.
Think of usage meters similar to how you use electricity or water in your home. You might pay a base price each month for electricity or water service, but your final bill is based on the total amount that you consumed.
Let’s look at a single VM as an example. The following kinds of meters are relevant to tracking its usage:
- Overall CPU time.
- Time spent with a public IP address.
- Incoming (ingress) and outgoing (egress) network traffic in and out of the VM.
- Disk size and amount of disk read and disk write operations.
Each meter tracks a specific type of usage. For example, a meter might track bandwidth usage (ingress or egress network traffic in bits per second), number of operations, or its size (storage capacity in bytes).
The usage that a meter tracks correlates to a quantity of billable units. Those units are charged to your account for each billing period. The rate per billable unit depends on the resource type you’re using.
Resource usage
In Azure, you’re always charged based on what you use. As an example, let’s look at how this billing applies to deallocating a VM.
In Azure, you can delete or deallocate a VM. Deleting a VM means that you no longer need it. The VM is removed from your subscription, and then it’s prepared for another customer.
Deallocating a VM means that the VM is no longer running. But the associated hard disks and data are still kept in Azure. The VM isn’t assigned to a CPU or network in Azure’s datacenter, so it doesn’t generate the costs associated with compute time or the VM’s IP address. Because the disks and data are still stored, and the resource is present in your Azure subscription, you’re still billed for disk storage.
Deallocating a VM when you don’t plan on using it for some time is just one way to minimize costs. For example, you might deallocate the VMs you use for testing purposes on weekends when your testing team isn’t using them. You’ll learn more about ways to minimize cost later in this module.
Azure subscription types
Some Azure subscription types also include usage allowances, which affect costs.
For example, an Azure free trial subscription provides access to a number of Azure products that are free for 12 months. It also includes credit to spend within your first 30 days of sign-up. And you get access to more than 25 products that are always free (based on resource and region availability).
Azure Marketplace
You can also purchase Azure-based solutions and services from third-party vendors through Azure Marketplace. Examples include managed network firewall appliances or connectors to third-party backup services. Billing structures are set by the vendor.
Does location or network traffic affect cost?
When you provision a resource in Azure, you need to define the location (known as the Azure region) of where it will be deployed. Let’s see why this decision can have cost consequences.
Location
Azure infrastructure is distributed globally, which enables you to deploy your services centrally or provision your services closest to where your customers use them.
Different regions can have different associated prices. Because geographic regions can impact where your network traffic flows, network traffic is a cost influence to consider as well.
For example, say Tailwind Traders decides to provision its Azure resources in the Azure regions that offer the lowest prices. That decision would save the company some money. But, if they need to transfer data between those regions, or if their users are located in different parts of the world, any potential savings could be offset by the additional network usage costs of transferring data between those resources.
Zones for billing of network traffic
Billing zones are a factor in determining the cost of some Azure services.
Bandwidth refers to data moving in and out of Azure datacenters. Some inbound data transfers (data going into Azure datacenters) are free. For outbound data transfers (data leaving Azure datacenters), data transfer pricing is based on zones.
A zone is a geographical grouping of Azure regions for billing purposes. The following zones include some of the regions as shown here:
- Zone 1: Australia Central, West US, East US, Canada West, West Europe, France Central, and others
- Zone 2: Australia East, Japan West, Central India, Korea South, and others
- Zone 3: Brazil South, South Africa North, South Africa West, UAE Central, UAE North
- DE Zone 1: Germany Central, Germany Northeast
How can I estimate the total cost?
As you’ve learned, an accurate cost estimate takes all of the preceding factors into account. Fortunately, the Azure Pricing calculator helps you with that process.
The Pricing calculator displays Azure products in categories. You add these categories to your estimate and configure according to your specific requirements. You then receive a consolidated estimated price, with a detailed breakdown of the costs associated with each resource you added to your solution. You can export or share that estimate or save it for later. You can load a saved estimate and modify it to match updated requirements.
You also can access pricing details, product details, and documentation for each product from within the Pricing calculator.
The options that you can configure in the Pricing calculator vary between products, but they can include:
- Region
A region is the geographical location in which you can provision a service. Southeast Asia, Central Canada, Western United States, and Northern Europe are a few examples.
- Tier
Tiers, such as the Free tier or Basic tier, have different levels of availability or performance and different associated costs.
- Billing options
Billing options highlight the different ways you can pay for a service. Options can vary based on your customer type and subscription type and can include options to save costs.
- Support options
These options enable you to select additional support pricing options for certain services.
- Programs and offers
Your customer or subscription type might enable you to choose from specific licensing programs or other offers.
- Azure Dev/Test pricing
This option lists the available prices for development and test workloads. Dev/Test pricing applies when you run resources within an Azure subscription that’s based on a Dev/Test offer.
Keep in mind that the Pricing calculator provides estimates and not actual price quotes. Actual prices can vary depending upon the date of purchase, the payment currency you’re using, and the type of Azure customer you are.
Exercise – Estimate workload cost by using the Pricing calculator
Completed100 XP
- 6 minutes
In this exercise, you use the Pricing calculator to estimate the cost of running a basic web application on Azure.
With an understanding of the more important cost factors associated with running on Azure, Tailwind Traders wants to take a typical workload and estimate how much it would cost each month to run it on Azure.
The IT Manager at Tailwind Traders is faced with the decision about whether to replace some aging on-premises hardware or move the application to Azure. The company needs to know how much the ongoing monthly cost of the solution in Azure would be.
Let’s start by defining which Azure services you need.
Note
The Pricing calculator is for information purposes only. The prices are only an estimate, and you won’t be charged for any services you select.
Define your requirements
Before you run the Pricing calculator, you first need a sense of what Azure services you need.
You meet with the application development team to discuss their migration project.
In their datacenter, the team has an ASP.NET web application that runs on Windows. The web application provides information about product inventory and pricing. They have two virtual machines that are connected through a central load balancer. The web application connects to a SQL Server database that holds inventory and pricing information.
The team decides to:
- Use Azure Virtual Machines instances, similar to the virtual machines they use in the datacenter.
- Use Azure Application Gateway for load balancing.
- Use Azure SQL Database to hold inventory and pricing information.
Here’s a diagram that shows the basic configuration:
In practice, you would define your requirements in greater detail. But here are some basic facts and requirements that came up during the meeting:
- The application is used by Tailwind Traders employees at their retail stores. It’s not accessible to customers.
- This application doesn’t require a massive amount of computing power.
- The virtual machines and the database run all the time (730 hours per month).
- The network processes about 1 TB of data per month.
- The database doesn’t need to be configured for high-performance workloads and requires no more than 32 GB of storage.
Explore the Pricing calculator
Let’s start with a quick tour of the Pricing calculator.
- Go to the Pricing calculator.
- Notice the following tabs:
- Products
This is where you choose the Azure services that you want to include in your estimate. You’ll likely spend most of your time here.
- Example Scenarios
Here you’ll find several reference architectures, or common cloud-based solutions that you can use as a starting point.
- Saved Estimates
Here you’ll find your previously saved estimates.
- FAQ
Here you’ll discover answers to frequently asked questions about the Pricing calculator.
Estimate your solution
Here you add each Azure service that you need to the calculator. Then you configure each service to fit your needs.
Tip
Make sure you have a clean calculator with nothing listed in the estimate. You can reset the estimate by selecting the trash can icon next to each item.
Add services to the estimate
- On the Products tab, select the service from each of these categories:
Category | Service |
Compute | Virtual Machines |
Databases | Azure SQL Database |
Networking | Application Gateway |
- Scroll to the bottom of the page. You see that each service is listed with its default configuration.
Configure services to match your requirements
- Under Virtual Machines, set these values:
Setting | Value |
Region | West US |
Operating system | Windows |
Type | (OS Only) |
Tier | Standard |
Instance | D2 v3 |
Virtual machines | 2 x 730 Hours |
- Leave the remaining settings at their current values.
- Under Azure SQL Database, set these values:
Setting | Value |
Region | West US |
Type | Single Database |
Backup storage tier | RA-GRS |
Purchase model | vCore |
Service tier | General Purpose |
Compute tier | Provisioned |
Generation | Gen 5 |
Instance | 8 vCore |
- Leave the remaining settings at their current values.
- Under Application Gateway, set these values:
Setting | Value |
Region | West US |
Tier | Web Application Firewall |
Size | Medium |
Gateway hours | 2 x 730 Hours |
Data processed | 1 TB |
Outbound data transfer | 5 GB |
- Leave the remaining settings at their current values.
Review, share, and save your estimate
At the bottom of the page, you see the total estimated cost of running the solution. You can change the currency type if you want.
At this point, you have a few options:
- Select Export to save your estimate as an Excel document.
- Select Save or Save as to save your estimate to the Saved Estimates tab for later.
- Select Share to generate a URL so you can share the estimate with your team.
You now have a cost estimate that you can share with your team. You can make adjustments as you discover any changes to your requirements.
Experiment with some of the options you worked with here, or create a purchase plan for a workload you want to run on Azure.
Manage and minimize total cost on Azure
Completed100 XP
- 11 minutes
As a home improvement retailer, the proverb “measure twice, cut once” is fitting for the team at Tailwind Traders.
Here are some recommended practices that can help you minimize your costs.
Understand estimated costs before you deploy
To help you plan your solution on Azure, carefully consider the products, services, and resources you need. Read the relevant documentation to understand how each of your choices is metered and billed.
Calculate your projected costs by using the Pricing calculator and the Total Cost of Ownership (TCO) Calculator. Only add the products, services, and resources that you need for your solution.
Use Azure Advisor to monitor your usage
Ideally, you want your provisioned resources to match your actual usage.
Azure Advisor identifies unused or underutilized resources and recommends unused resources that you can remove. This information helps you configure your resources to match your actual workload.
The following image shows some example recommendations from Azure Advisor:
Recommendations are sorted by impact: high, medium, or low. In some cases, Azure Advisor can automatically remediate, or fix, the underlying problem. Other issues, such as the two that are listed as high impact, require human intervention.
Use spending limits to restrict your spending
If you have a free trial or a credit-based Azure subscription, you can use spending limits to prevent accidental overrun.
For example, when you spend all the credit included with your Azure free account, Azure resources that you deployed are removed from production and your Azure virtual machines (VMs) are stopped and deallocated. The data in your storage accounts is available as read-only. At this point, you can upgrade your free trial subscription to a pay-as-you-go subscription.
If you have a credit-based subscription and you reach your configured spending limit, Azure suspends your subscription until a new billing period begins.
A related concept is quotas, or limits on the number of similar resources you can provision within your subscription. For example, you can allocate up to 25,000 VMs per region. These limits mainly help Microsoft plan its datacenter capacity.
Use Azure Reservations to prepay
Azure Reservations offers discounted prices on certain Azure services. Azure Reservations can save you up to 72 percent as compared to pay-as-you-go prices. To receive a discount, you reserve services and resources by paying in advance.
For example, you can prepay for one year or three years of use of VMs, database compute capacity, database throughput, and other Azure resources.
The following example shows estimated savings on VMs. In this example, you save an estimated 72 percent by committing to a three-year term.
Azure Reservations are available to customers with an Enterprise Agreement, Cloud Solution Providers, and pay-as-you-go subscriptions.
Choose low-cost locations and regions
The cost of Azure products, services, and resources can vary across locations and regions. If possible, you should use them in those locations and regions where they cost less.
But remember, some resources are metered and billed according to how much outgoing (egress) network bandwidth they consume. You should provision connected resources that are metered by bandwidth in the same Azure region to reduce egress traffic between them.
Research available cost-saving offers
Keep up to date with the latest Azure customer and subscription offers, and switch to offers that provide the greatest cost-saving benefit.
Use Azure Cost Management + Billing to control spending
Azure Cost Management + Billing is a free service that helps you understand your Azure bill, manage your account and subscriptions, monitor and control Azure spending, and optimize resource use.
The following image shows current usage broken down by service:
In this example, Azure App Service, a web application hosting service, generates the greatest cost.
Azure Cost Management + Billing features include:
- Reporting
Use historical data to generate reports and forecast future usage and expenditure.
- Data enrichment
Improve accountability by categorizing resources with tags that correspond to real-world business and organizational units.
- Budgets
Create and manage cost and usage budgets by monitoring resource demand trends, consumption rates, and cost patterns.
- Alerting
Get alerts based on your cost and usage budgets.
- Recommendations
Receive recommendations to eliminate idle resources and to optimize the Azure resources you provision.
Apply tags to identify cost owners
Tags help you manage costs associated with the different groups of Azure products and resources. You can apply tags to groups of Azure resources to organize billing data.
For example, if you run several VMs for different teams, you can use tags to categorize costs by department, such as Human Resources, Marketing, or Finance, or by environment, such as Test or Production.
Tags make it easier to identify groups that generate the biggest Azure costs, which can help you adjust your spending accordingly.
The following image shows a year’s worth of usage broken down by tags on the Azure Cost Management + Billing page:
Resize underutilized virtual machines
A common recommendation that you’ll find from Azure Cost Management + Billing and Azure Advisor is to resize or shut down VMs that are underutilized or idle.
As an example, say you have a VM whose size is Standard_D4_v4, a general-purpose VM type with four vCPUs and 16 GB of memory. You might discover that this VM is idle 90 percent of the time.
Virtual machine costs are linear and double for each size larger in the same series. So in this case, if you reduce the VM’s size from Standard_D4_v4 to Standard_D2_v4, which is the next size lower, you reduce your compute cost by 50 percent.
The following image shows this idea:
Keep in mind that resizing a VM requires it to be stopped, resized, and then restarted. This process might take a few minutes depending on how significant the size change is. Be sure to properly plan for an outage, or shift your traffic to another instance while you perform resize operations.
Deallocate virtual machines during off hours
Recall that to deallocate a VM means to no longer run the VM, but preserve the associated hard disks and data in Azure.
If you have VM workloads that are only used during certain periods, but you’re running them every hour of every day, you’re wasting money. These VMs are great candidates to shut down when not in use and start back when you need them, saving you compute costs while the VM is deallocated.
This approach is an excellent strategy for development and testing environments, where the VMs are needed only during business hours. Azure even provides a way to automatically start and stop your VMs on a schedule.
Delete unused resources
This recommendation might sound obvious, but if you aren’t using a resource, you should shut it down. It’s not uncommon to find nonproduction or proof-of-concept systems that are no longer needed following the completion of a project.
Regularly review your environment, and work to identify these systems. Shutting down these systems can have a dual benefit by saving you on infrastructure costs and potential savings on licensing and operating costs.
Migrate from IaaS to PaaS services
As you move your workloads to the cloud, a natural evolution is to start with infrastructure as a service (IaaS) services because they map more directly to concepts and operations you’re already familiar with.
Over time, one way to reduce costs is to gradually move IaaS workloads to run on platform as a service (PaaS) services. While you can think of IaaS as direct access to compute infrastructure, PaaS provides ready-made development and deployment environments that are managed for you.
As an example, say you run SQL Server on a VM running on Azure. This configuration requires you to manage the underlying operating system, set up a SQL Server license, manage software and security updates, and so on. You also pay for the VM whether or not the database is processing queries. One way to potentially save costs is to move your database from SQL Server on a VM to Azure SQL Database. Azure SQL Database is based on SQL Server.
Not only are PaaS services such as Azure SQL Database often less expensive to run, but because they’re managed for you, you don’t need to worry about software updates, security patches, or optimizing physical storage for read and write operations.
Save on licensing costs
Licensing is another area that can dramatically impact your cloud spending. Let’s look at some ways you can reduce your licensing costs.
Choose cost-effective operating systems
Many Azure services provide a choice of running on Windows or Linux. In some cases, the cost depends on which you choose. When you have a choice, and your application doesn’t depend on the underlying operating system, it’s useful to compare pricing to see whether you can save money.
Use Azure Hybrid Benefit to repurpose software licenses on Azure
If you’ve purchased licenses for Windows Server or SQL Server, and your licenses are covered by Software Assurance, you might be able to repurpose those licenses on VMs on Azure.
Some of the details vary between Windows Server or SQL Server. We’ll provide resources at the end of this module where you can learn more.
Knowledge check
200 XP
- 2 minutes
Consider the following scenario. Then choose the best response for each question that follows, and select Check your answers.
Before they migrate their existing e-commerce system from their datacenter to production environments on Azure, the Tailwind Traders team wants to first set up environments for development and testing.
Here’s a diagram that shows the basic compute, database, and networking components found in each environment:
An e-commerce system might require a website, the products database, a payment system, and so on. Because developers can’t always run the entire service from their local development environment, the Dev environment is the first place where everything the app needs comes together.
After the development team verifies changes to the Dev environment, they promote changes to the Test environment. The Test environment is where the testing team verifies new app features and also verifies that no regressions, or breaks to existing features, happen as new features are added.
The team will map each component in their existing infrastructure to the appropriate Azure service.
Summary
Completed100 XP
- 2 minutes
Tailwind Traders is taking a methodical approach toward cloud migration. While proof-of-concept projects can help demonstrate technical feasibility, having a clear picture of the total cost of running in the cloud will further help the team validate its approach.
To start, the Tailwind Traders team used the Total Cost of Ownership Calculator to estimate the cost savings of operating its solution on Azure instead of in its on-premises datacenter.
From there, the team used the Pricing calculator to get a more detailed estimate for running a typical workload on Azure each month.
The team also created a checklist of cost-saving measures that it can use to help keep down costs. This list includes:
- Perform cost analysis before you deploy.
- Use Azure Advisor to monitor your usage.
- Use spending limits to prevent accidental spending.
- Use Azure Reservations to prepay.
- Choose low-cost locations and regions.
- Research available cost-saving offers.
- Apply tags to identify cost owners.
With these measures in place, the Tailwind Traders team is ready to take the next steps toward cloud migration.
Next steps
If you run existing workloads on-premises or in the datacenter, try entering your existing workloads in the Total Cost of Ownership Calculator to see how the cost of running on Azure compares to what you pay today.
Then, use the Azure documentation to map your current infrastructure to cloud services. Use the Pricing calculator to get a more accurate picture of what it would cost to run your existing workloads on Azure.
Learn more
In this module, you learned about the many factors that affect the total cost of running on Azure.
The Control Azure spending and manage bills with Azure Cost Management + Billing learning path is a great next step toward learning how to monitor and control your Azure spending.
Here are additional resources to help you go further.
Purchase Azure services
- If you’re just getting started with Azure, review commonly asked questions in the Azure free account FAQ to see whether a free trial account is right for you.
- To learn more about how to purchase Azure products and services, see Explore flexible purchasing options for Azure.
Understand your bill
- For more information about Azure usage charges, see Understand terms on your Microsoft Azure invoice.
- To learn more about how bandwidth affects pricing, see Bandwidth pricing details.
Manage and minimize costs
- See Azure Cost Management + Billing to learn more about analyzing costs, creating and managing budgets, exporting data, and reviewing and acting on recommendations.
- Take advantage of significant discounts on development and testing workloads. To learn more, see Azure Dev/Test pricing.
- Learn more about how Azure Reservations can save you money when you commit to one-year or three-year pricing plans.
- Learn how to prevent unexpected charges with Azure billing and cost management.
- See Azure spending limit to learn what happens when you reach your spending limit and how to remove it.
- Learn how to start and stop VMs during off-hours.
- See how Azure Hybrid Benefit can help save costs by bringing Windows Server and SQL Server on-premises licenses with Software Assurance to Azure.
Leave a Reply