In this article, I’ll explain Azure Monitor.

It’s an essential service for running and managing systems built on Azure.

Although it’s a service that handles infrastructure monitoring, its functions are diverse, so it’s important to understand the big picture first.

I’ll explain with screenshots from the Azure portal, so please read to the end.

Let’s get started!

What is Azure Monitor?

Azure Monitor is a collective term for services that collect usage statistics from cloud and on-premises servers for analysis and monitoring. It’s the equivalent of “Cloud Watch” in AWS.

For AZ-900 exam preparation, when you think of monitoring, remember Azure Monitor.

Azure Monitor is treated as a service that integrates (bundles) multiple services. It has a history of integrating previously separate services under the Azure Monitor service name.

It may be easier to understand if you think of Azure Monitor as an entry point (portal site) for monitoring and analysis.

In the Azure Portal, you can access it from the Monitor menu.

If you actually look at the Monitor menu, you will see that there are several menus available for reviewing metrics, logs, and insights for applications and networks.

Some of the menus (functions) shown here can also be accessed directly from “All services” or by selecting a category.

Overview of Azure Monitor

The big picture of Azure Monitor can be simply represented as follows:

As data sources, in addition to resources on Azure such as virtual machines, you can also collect data from on-premises servers by installing agents.

The data formats collected can be broadly divided into two types:

Metrics are performance-related data, such as CPU and memory or network traffic measurements, that can be displayed as graphs. In general, anything that can be expressed numerically is a metric.

Logs, as the name implies, record all events that occur within the system, and in many cases, the data is stored in a resource called a Log Analytics workspace.

You can monitor the accumulated metrics and logs, and send notifications via email, phone, or smartphone app (Azure mobile app) when specified conditions are met (Alerts).

You can also analyze with queries, visualize with dashboards, or integrate with external systems. It can be a bit complicated due to its many capabilities, but for exam preparation, focus on the following points:

Key Features of Azure Monitor

Although we’ve already touched on some of them, here are the key features of Azure Monitor:

Activity Log

The Activity Log is a log that records write operations (create, modify, delete) performed on Azure resources in your subscription.

It records who did what and when, making it a critical log from an auditing perspective.

By default, activity logs are automatically stored on Azure infrastructure for 90 days. If you want to keep them longer, you can configure them to be sent to a Log Analytics workspace.

As an easy-to-understand example of an activity log, when you stop a virtual machine, a “Deallocate Virtual Machine” log entry is recorded.

Alerts

In Alerts, you can set “alert rules” and view their history.

When creating an alert rule, for example

When the average CPU usage of the virtual machine exceeds 70%,

you can specify an action such as

Send an email to a specified destination

using this condition as a trigger.

Metrics

In Metrics, the Metrics Explorer is displayed, allowing you to view resource performance data in graphs.

Standard metrics are collected automatically when you create a resource, with no additional configuration required. Metrics are retained for 93 days.

The following sample screen shows the average CPU usage of a virtual machine (the time when the VM was stopped is shown as a dashed line).

Logs (Azure Monitor logs)

When you select Logs, “Azure Monitor logs (formerly Log Analytics)” launches.

Here, you can analyze the logs collected in the Log Analytics workspace using a query language called KQL (Kusto Query Language).

It may seem a bit daunting at first, but you can quickly extract data, similar to writing SQL statements to SELECT from a database.

To collect data in a Log Analytics workspace, you must install agents on virtual machines or configure diagnostic settings to connect.

The default retention period is 31 days and can be extended up to 2 years (730 days).

Like activity logs, many logs can be configured to be sent to a Log Analytics workspace, making it an important service for centralized log management.

Application Insights

In the Applications menu, you can create or reference existing resources from Application Insights, which collects application performance and usage data.

To collect data in Application Insights, you must install a package (SDK) in your application or use the Application Insights agent.

When you navigate to the Application Insights dashboard, you can review information such as:

• Failed requests
• Server response time
• Server requests
• Availability

Source: Application Insights Overview dashboard

Summary

In this article, we explained Azure Monitor.

Azure Monitor is an integrated service for monitoring Azure and on-premises servers and applications, and can send notifications via alerts in the event of anomalies.

Let’s make sure we understand the purpose of each of Azure Monitor’s key features.

• Activity Log
• Alerts
• Metrics
• Logs
• Application Insights

See you next time!

View Azure Courses

In this article, I’ll be explaining Azure Service Health.

Azure has several ways to verify that services and resources are working properly, but the coverage varies depending on the method.

Understanding these differences is critical to knowing the impact on the regions, services, and resources your organization uses, so please read to the end.

Let’s get started!

What is Azure Service Health?

Azure Service Health is a service for understanding Azure outages, planned maintenance, and other changes that can affect availability. It consists of three services:

• Azure Status
• Service Health
• Resource Health

It’s confusing that Service Health is within Azure Service Health…

Yes, it is indeed very confusing.

However, for AZ-900 exam preparation, it seems sufficient to focus on the content of “Service Health”. (This is just my personal opinion.)

In fact, some books treat Azure Service Health and Service Health as the same thing, but the official documentation describes Azure Service Health as a parent service that contains three child services.

Azure Status

Azure status allows you to check the operational status of Azure services by region in a tabular format. It’s provided separately from the Azure Portal and can be accessed at azure.status.microsoft.

For Japanese users, you would probably select “Asia Pacific” and check the Japan East and Japan West columns.

This is positioned as a simple tool, and while it provides a comprehensive at-a-glance view, it doesn’t display only the necessary information optimized for the user, nor does it have alert notification features.

Microsoft seems to recommend using Service Health, as described later.

Keep this in mind as a way to check the status if you can’t sign in to the Azure Portal or access Service Health.

Service Health

Service Health, like Azure Status, is a service that lets you know if your Azure services are functioning properly.

Users can check the dashboard for large-scale issues, such as region-wide outages, or receive notifications by registering alert rules.

You can check and track events that fall into the following four categories, not just outages:

Looking at the Azure portal, you can see that events can be checked from menus prepared for each of the four categories.

It’s optimized with only the regions used by the user selected, but you can change the conditions by selecting individual regions or services from the drop-down list.

Click “Add service health alert” to create alert rules and send notifications.

It may seem that you need to exclude regions and services that you do not use, but because the system only sends notifications when events occur in the regions of the services that you use, it is recommended that you select “All” for both.

Resource Health

Resource Health allows you to check the status of individual resources, such as virtual machines, and review past issues.

Open the Resource Health menu, select the resource type, and then select the target resource name to check its status (green checkmarks are already displayed in the list view).

You can see that the current status is “Available”.

You can review up to 30 days of history from the “Health history”, but in this example screen, there is only one history item because the VM was just created.

You can check the same content in the Resource Health menu of the virtual machine.

As with Service Health, clicking “Add resource health alert” allows you to create alert rules and send notifications.

Resource Health is not supported for all services.

For a list of supported resource types and health check details, see the official documentation.

Service Health vs. Resource Health

After reading this far, many people might think:

What’s the difference between Service Health and Resource Health?

The official documentation FAQ states:

What’s the difference between Service Health and Resource Health?

Resource Health provides information about the health of your individual cloud resources, such as a specific virtual machine instance. Service Health provides a personalized view of the status of your Azure services and regions, as well as information about current incidents, planned maintenance, and health advisories.

Source: Frequently asked questions about Azure Service Health

To repeat, as their names suggest:

• Resource Health → Resources
• Service Health → Services

These are methods for checking the health of resources and services, respectively.

For example, let’s say you have a virtual machine in the Japan East region. Let’s consider scenarios where you want to detect problems.

In my experience, if there is a problem with the physical machine hosting the virtual machine, or if disk degradation is detected as a sign of potential failure, you won’t see it through Service Health.

Service Health notifies you of large-scale problems that affect the entire service, but it doesn’t notify you of partial problems at the rack level, for example.

Conversely, if there’s a major problem in the Japan East region, I think you’ll get notifications from both alert rules if you have them set up.

In other words, both are important.

So, in most cases, these services should be used together.

Summary

In this article, we’ve explained Azure Service Health.

While the health check screens themselves are relatively simple and easy to understand, you may be confused about how to use and configure the three services for your environment.

Here’s a brief summary of the three services. First, make sure you understand their uses and differences:

* “Optimized per user” is referred to as “Personalized” in the official documentation

To reiterate, while it’s important to know the uses and differences of all three services in practice, for AZ-900 exam preparation, the content of “Service Health” is likely to be most frequently asked about.

See you next time!

View Azure Courses

In this article, I’ll explain Azure Advisor.

As you can see from the word “Advisor,” it’s a useful service that provides advice on using Azure. Please read to the end.

Let’s get started!

What is Azure Advisor?

Azure Advisor is like a consultant in Azure, automatically analyzing deployed resources and displaying recommendations (“you should do this”) according to common best practices. It’s similar to AWS Trusted Advisor in AWS.

Azure Advisor is free to use.

You can check it by clicking on the Advisor menu in the Azure portal.

Five Categories

Azure Advisor recommendations are classified into the following five categories:

• Reliability
• Security
• Performance
• Cost
• Operational Excellence

For example, what kind of recommendations are there?

Using virtual machines as an easy-to-understand example, there are recommendations such as:

• Resize or stop VMs that aren’t used much
• There are disks isolated and not connected to VMs (delete if unnecessary)
• Enable backup for VMs

Note that Operational Excellence can be a little difficult to understand.

Operational Excellence provides recommendations for streamlining workflows and making resources easier to manage as you operate Azure resources.

For example, there are recommendations such as:

• Limit regions or SKUs with Azure Policy
• Update SDK versions to the latest
• Increase quota limits to avoid hitting restrictions

Advisor Score

Azure Advisor has a feature called Advisor Score that shows how well you’re following recommendations. The more recommendations you follow, the higher your score.

You can check the list of recommendations by clicking on the tiles for the five categories. (You can also check from the recommendations menu)

It’s like a test score

It’s fun to work through each recommendation and increase your score because it feels like you’re leveling up your Azure environment.

Advisor Alerts

Azure Advisor also has settings for sending notifications.

• Alerts
• Recommendation digests

With Advisor alerts, you can receive notifications when there are recommendations that meet specific conditions.

In the following example screen, the category is set to any, and alerts are set only for recommendations with a “high” impact level.

Advisor Recommendation Digests

With the recommendation digests, you can receive regular reports.

In the following example screen, it’s set to receive weekly reports on recommendations for all categories.

Things to Know About Azure Advisor

Here are some points to note that are likely to be asked on the AZ-900 exam.

Does Not Restrict Usage

Azure Advisor only suggests recommendations and does not restrict the use of anything.

Recommendations are for Existing Resources Only

Azure Advisor analyzes existing resources and provides recommendations.

It doesn’t display recommendations like “this is what you should configure” when you create new networks or virtual machines.

Paid Services May Be Required

Using Azure Advisor itself is free.

However, some recommendations may require the use of fee-based services.

For example, the following recommendation suggests configuring a private endpoint (private link) to securely access a storage account.

Summary

In this article, we have covered an overview of Azure Advisor. For AZ-900 exam preparation, make sure to focus on the “Points to Note” explained at the end.

Looking at Azure Advisor’s recommendations can also be educational from a design perspective, helping you to understand “what aspects should be considered for configuration”.

It might be a good idea to start by looking at the “Cost” category, where the content of the recommendations and their implications are easy to understand.

That’s all for now. See you next time!

View Azure Courses

In this article, I’ll be explaining Azure Arc.

Arc probably means something like a bridge, but from the service name it’s hard to imagine what kind of functionality it offers, right?

To help you visualize it better, I’ll explain it by showing you screenshots from my actual tests, so please read to the end.

Let’s get started!

What is Azure Arc?

Azure Arc is a service for centrally managing distributed server environments outside of Azure on the Azure platform.

• Other cloud services
• Edge computing
• On-premises

The idea is to connect Windows Servers, Linux, Kubernetes clusters, and other environments outside of Azure to Azure for unified management.

Source: Describe Azure Arc

Azure Arc is a relatively new service that was announced in 2019.

It was created as a solution for centralized management in Azure, as server management tends to become complex in hybrid cloud and multi-cloud environments.

The implication of this is that in reality, the infrastructure environment of a company is rarely based on a single cloud, but is instead a hybrid of existing on-premise environments and other company clouds such as AWS and GCP.

Benefits of Azure Arc

What are the benefits of centralized management on Azure?

Here’s an excerpt from the official documentation:

• Manage your entire environment together by projecting your existing non-Azure and/or on-premises resources into Azure Resource Manager.
• Manage virtual machines, Kubernetes clusters, and databases as if they are running in Azure.
• Use familiar Azure services and management capabilities, regardless of where your resources live.

Source: Azure Arc overview

After trying it for the first time, I found that you can do the following:

• View in Azure Portal
• Apply Azure Policy
• Integrate with Azure Monitor
• Collect IT asset information (inventory) such as installed software
• Manage updates
• Track change history
• Add extensions
• Apply tags and locks

Managing both internal and external resources with these unified methodologies simplifies governance and reduces management overhead.

I found it impressive that you can list external servers and apply ARM functionality with the same familiar Azure portal usability.

I now understand what the official documentation means by “project to Azure Resource Manager” and “as if they are running in Azure“.

I’ve connected two AWS virtual servers (EC2) to Azure Arc as a test, so I’ll briefly introduce that.

There are several ways to connect (onboard) to Azure Arc, but here we will show how to add a single server by installing an agent on the server you want to connect from.

For Linux, it’s a shell script, and for Windows, it’s a PowerShell command that you can view and get from the Azure portal.

Once connected, they will be listed as Azure Arc servers.

You can see that they’re also displayed as resources when you look at the resource group.

Looking at the overview menu, you can see that the operating system of this EC2 instance is “Amazon Linux 2023”.

By enabling VM insights, you can check CPU and disk usage, etc.

I also confirmed that you can add tags and register delete locks to prevent deletion.

In addition, you can configure features such as policies, update management, and inventory from menus other than the overview.

Some features require integration with Azure Automation or Log Analytics, but this is the same even for Azure virtual machines.

Summary

In this article, we explained Azure Arc.

For AZ-900 exam preparation, remember to think of Azure Arc when you hear “centralized management of external servers outside of Azure“.

See you next time!

View Azure Courses

In this article, I’ll explain Azure Resource Manager.

It’s an important mechanism for understanding the behind-the-scenes workings of Azure resource management. It will also help you understand the benefits of expressing infrastructure as code. Please read to the end.

Let’s get started!

What is Azure Resource Manager?

Azure Resource Manager is a service for managing and deploying Azure resources. It’s often abbreviated as ARM.

ARM has the following mechanisms to efficiently manage multiple resources (see the linked articles for details):

• Manage resources in a hierarchical structure
• Prevent resource deletion (resource locks)
• Label resources (tags)

While it’s necessary to thoroughly understand these individual features, there aren’t many occasions where you’ll need to be aware of ARM itself.

In addition, ARM serves as the single point of contact for receiving requests to create, update, and delete Azure resources.

In Azure, you can manage resources not only through the GUI screen of the Azure portal but also through command-line tools such as Azure PowerShell and Azure CLI.

All of these requests go through ARM, which then authenticates with the Microsoft Entra ID, converts the requests into a form that ARM can interpret (ARM templates), and deploys the resources.

This mechanism ensures that all requests are processed through the same point of contact, resulting in consistent results and functionality even when different tools are used.

It’s as if emails sent in Japanese, Chinese, and Korean were translated into English, the common language of the world.

What are ARM templates?

The code that is converted into a form that ARM can interpret is called “ARM templates” and is expressed in JSON format.

For example, an ARM template is written like this:

{
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "variables": {},
  "resources": [
      {
          "name": "azstart-vnet",
          "type": "Microsoft.Network/VirtualNetworks",
          "apiVersion": "2021-01-01",
          "location": "japaneast",
          "properties": {
              "addressSpace": {
                  "addressPrefixes": [
                      "10.1.0.0/16"
                  ]
              },
              "subnets": [
                  {
                      "name": "default",
                      "properties": {
                          "addressPrefix": "10.1.0.0/24"
                      }
                  }
              ]
          }
      }
  ]
}

It may seem confusing at first, but for now, just try to get a feel for it. The AZ-900 exam doesn’t test you on syntax.

The JSON format tends to have many lines due to the use of curly braces and square brackets for parameters, but if you look closely, you can see the following information in the resources block:

This means that every parameter you enter on the Azure Portal screen is expressed in code.

Using code to manage and deploy infrastructure configurations, such as networks and servers, is called Infrastructure as Code (IaC).

Azure provides ARM templates and Bicep as IaC tools. Terraform is a well-known third-party tool.

Now, let’s return to ARM templates.

While you can write ARM templates from scratch, Azure Porta actually creates them automatically. Click on “View automation template” on the “Review + create” screen. (In this example, we’re trying to create a virtual network.)

This allows you to view or download the ARM template that describes the resource you’re creating.

Alternatively, you can review and download the template from the deployment completion screen after you create the resource.

ARM templates are useful when deploying multiple resources together, or when deploying the same set of resources to multiple environments.

To deploy using an ARM template, use “Deploy a custom template”.

Summary

In this article, we explained the mechanisms of Azure Resource Manager and ARM templates.

ARM templates can be intimidating at first, but once you create a template, you can reuse it, share it with your team, and manage versions. So as you become more familiar with Azure, give it a try.

Personally, I prefer Bicep or Terraform, which are easier to read.

For the AZ-900 exam preparation, remember these two points:

• Azure Resource Manager provides APIs for creating, updating, and deleting Azure resources, and provides a common platform for maintaining consistency across your Azure environment, even when deployed using different tools.
• ARM templates are useful when deploying multiple resources together, or when deploying the same set of resources to multiple environments.

See you next time!

View Azure Courses

While Azure allows you to manage resources through the Azure Portal GUI tool, it also provides tools for managing resources through command-line operations.

• Azure CLI
• Azure PowerShell

These Azure tools are also covered in the AZ-900 exam, so in this article I’ll provide an overview of each tool, their differences, which one you should use, and the criteria for choosing between them.

Let’s get started!

What is Azure CLI?

Azure CLI is a command-line tool for operating Azure. You can install and use it locally on Linux, Mac, or Windows.

Azure CLI commands are written as az <resource type> <verb>. For example, to create a resource group, you would run the following command with parameters that specify the name and region:

az group create --name SampleRG --location japaneast

The results of the command execution are output in JSON format. If you check the Azure portal, you can see that a resource group named “SampleRG” has been created.

What is Azure PowerShell?

Azure PowerShell is also a command-line tool for operating Azure that can be installed and used locally on Linux, Mac, or Windows.

You might think of PowerShell as the successor to the command prompt that comes with Windows, but you can also use it on Linux and Mac if you install it.

Even on Windows, Azure PowerShell is not available by default, and you must install the Azure PowerShell module as an add-on.

Azure PowerShell commands are written in the form of <verb>-Az<resource type>. As before, to create a resource group, you would run the following command with parameters that specify the name and region:

New-AzResourceGroup -Name SampleRG -Location japaneast

Azure CLI vs Azure PowerShell

Now that we understand that there are two command-line tools, Azure CLI and Azure PowerShell, you might be wondering:

Which one should I choose?

In general, people familiar with Linux shell scripting tend to choose Azure CLI, while people familiar with Windows PowerShell tend to choose Azure PowerShell.

If you’re using it for work, it’s important to consider which tool your team members are more comfortable with.

In my experience, Azure CLI feels more intuitive and easier to understand, with a lower learning curve.

On the other hand, PowerShell is a type of object-oriented programming language, so you can store and reference variables as objects, and exception handling is easier with try-catch.

Roughly speaking, Azure PowerShell is better suited for handling more complex operations.

Consider your previous experience, learning costs, and the complexity of the operations you want to perform when making your choice. Deciding based on whether your server environment is Windows or Linux is also an option. If it doesn’t matter which one you use, I recommend trying it out with Azure CLI.

Incidentally, I started with Azure PowerShell because I was a hardcore Windows user, but after studying Linux, I came to prefer Azure CLI. In real-world environments, the choice often depends on the server operating system.

One point likely to be asked in the AZ-900 exam is that both tools work on Linux, Mac, and Windows (i.e., they are cross-platform).

If you want to try Azure CLI or Azure PowerShell, Azure Cloud Shell is convenient. I’ve explained how to use it in this article, so please refer to it.

【AZ-900】What is Azure Cloud Shell? Beginner's Guide to Getting StartedHi, I'm Makoto, a freelance engineer. In this article, I'll be ex...

Summary

In this article, we’ve explained the differences between Azure CLI and Azure PowerShell.

As you become more familiar with Azure, command-line operations become convenient. They’re useful for repeating the same process or sharing procedures with others.

The official documentation also provides tutorials to help you learn the commands:

• Create virtual machines with Azure CLI
• Create virtual machines with the Azure PowerShell

Please try them out and get hands-on experience.

View Azure Courses

In this article, I’ll be explaining about Azure Cloud Shell.

While AWS also has Cloud Shell, Azure was the first to offer it. The first time I used Azure Cloud Shell, I was amazed:

How convenient this is!

It’s still one of the services I use the most.

What’s so convenient about it? To answer such questions, I’ll give you an overview of the Azure Cloud Shell. Please read to the end.

Let’s get started!

What is Azure Cloud Shell?

Azure Cloud Shell is a browser-based command execution environment (shell tool) that allows you to instantly use an environment with commonly used command line tools and languages installed.

You can access it from the icon in the upper right corner of the Azure Portal or directly at shell.azure.com.

How to Use Azure Cloud Shell

When you start Azure Cloud Shell, you see a welcome screen that lets you choose your shell environment. You can choose between Bash and PowerShell. (Bash is a common command execution environment on Linux.)

Select whether or not to mount a storage account (file share), depending on whether or not you need to store data in the Azure Cloud Shell environment.

• No storage account required
  • When you do not need to store data
  • You can start using it as soon as you move on to the next step
• Mount storage account
  • When you need to store data
  • Select a subscription and continue

When you select “Mount storage account”, you can either select an existing storage account or create a new one.

• Select existing storage account
  • On the next screen, select an existing storage account name and file share
• We will create a storage account for you
  • Storage accounts and file share are created automatically.
• I want to create a storage account
  • On the next screen, enter the storage account name, resource group, file share, and region.

The Azure Cloud Shell itself is free to use, but there is a small storage fee when you mount a storage account. For more information about storage accounts, see this article.

【AZ-900】What is Azure Storage? Complete Guide to Data Services and Redundancy OptionsHi, I'm Makoto, a freelance engineer. In this article, I'll expla...

When Azure Cloud Shell starts, you’ll see a screen like this. In this example, it’s started with Bash.

There is a toolbar at the top of the screen, and you can switch between the Bash and PowerShell shell environments by clicking the button in the upper left corner.

This is what it looks like when switched to PowerShell.

A virtual machine is running in the background, but you can immediately launch the command execution environment without even noticing the existence of the server.

It’s convenient because it’s easy to launch and start using right away.

Tools Available in Azure Cloud Shell

Azure Cloud Shell comes pre-installed with tools for managing Azure through command operations, such as Azure CLI and Azure PowerShell.

For more information about these two Azure tools, see this article.

【AZ-900】Azure CLI vs Azure PowerShell: Understanding the DifferencesHi, I'm Makoto, a freelance engineer. While Azure allows you to m...

In addition to Azure CLI and Azure PowerShell, commonly used tools, editors, and languages are also installed. It’s really convenient to be able to use them right out of the box from any device without any installation.

For details about the installed tools and languages, see the official documentation.

Storage Persistence Mechanism

Now, I’m going to add some information about the storage that is mounted on the Azure Cloud Shell, even though I don’t think it will be asked on the AZ-900 exam.

Azure Cloud Shell times out and disconnects the session after 20 minutes of inactivity. You can reconnect to start a new session and continue using it, but you might be wondering:

Will the files I save in Azure Cloud Shell disappear?

The answer is “No“.

In Azure Cloud Shell, a file share is mounted as the data storage destination, so data stored in the following locations is persisted (see the official documentation for details):

• /home/<User> （$HOME）
• /home/<User>/clouddrive

The home directory (/home/<User>) mounts an img file created in the file share, and you can store up to 5GB of data.

If you want to upload files from outside or take them out, save them in the “clouddrive” directory. This is linked to the file share directory (cs-<User>-xxx).

Let’s try creating an empty file called “testfile.txt” in the clouddrive directory.

If you look at the contents of the file share in the storage account in the Azure portal, you can see that “testfile.txt” has been created.

Summary

In this article, we’ve explained the overview of the Azure Cloud Shell. Here are the key points to prepare for the AZ-900 exam:

• Can be used from a browser regardless of OS
• You need a storage account to store data.
• Shell environment can be selected between Bash and PowerShell
• Tools such as Azure CLI and Azure PowerShell are pre-installed

Azure Cloud Shell lets you quickly run commands from a browser without setting up a local environment, which is great for quick checks and tasks.

Give it a try!

In this article, I’ll be explaining about the Service Trust Portal.

It’s a useful portal site for learning about Microsoft’s various initiatives. Please read through to the end.

Let’s get started!

What is the Service Trust Portal?

The Service Trust Portal provides a variety of content, tools, and other resources related to Microsoft security, privacy, and compliance.

It’s also a central location for documents related to regulatory requirements and privacy standards.

You can access it at the following URLs:

• servicetrust.microsoft.com
• aka.ms/STP (short URL)

We are trying to benefit from cost reduction, high availability, and rapid response to change by using Azure (cloud).

To do this, we are entrusting our applications and data to Microsoft’s data centers, but how do we verify the security of these applications and data?

Of course, there’s a sense of security from the “Microsoft” brand because it’s a well-known company, but as an organization, there’s a need to objectively prove that security.

Microsoft undergoes third-party audits and receives various types of certifications. On the Service Trust Portal, you can view audit reports, certificates, and penetration test and vulnerability assessment reports.

So Microsoft is really emphasizing that they can be trusted, huh?

Representative standards, compliance standards, and privacy standards include:

• International Organization for Standardization (ISO)
• System and Organization Controls (SOC)
• General Data Protection Regulation (GDPR)

Microsoft takes these steps to earn the trust of its customers and users, and by accessing the Service Trust Portal, you can learn how they comply with legal and regulatory standards.

For an overview of what can be confirmed from which menu, see the Microsoft Learn “Describe the offerings of the Service Trust portal“. It’s summarized in an easy-to-understand way.

Note that the Service Trust Portal is free to use, but to access some resources, you must sign in using a Microsoft cloud service account for Azure / M365 / D365.

When you sign in, you can also save documents to your My Library.

Summary

In this article, we explained about the Service Trust Portal.

It may be a bit difficult to approach, as it’s more of a portal for corporate compliance officers rather than engineers, but for AZ-900 exam preparation, let’s get the terminology and overview.

See you next time!

View Azure Courses

One of the benefits of the cloud is that you can easily create resources and delete them when you don’t need them anymore. However, sometimes we accidentally delete resources in unintended ways.

What types of accidents can occur?

One reason is that you don’t use it as carefully in your personal environment, but here’s a common example:

• Deleting an entire resource group that accidentally included resources you wanted to keep
• Accidentally deleting the wrong virtual machine due to similar names

Ideally, we should work with a user who doesn’t have delete permissions, but there are cases where we want to use an admin user, such as for personal learning.

In this article, I’ll introduce the “lock” feature that prevents Azure resources from being deleted. It’s very easy to set up, but there are also important considerations you need to know, so please read to the end.

Let’s get started!

Types of Resource Locks

Locks are a feature that prevents accidental deletion of created resources. There are two types:

Read-only locks prevent both modification and deletion. The resource becomes ReadOnly state.

Delete locks allow modification but prevent deletion. The resource becomes CanNotDelete state.

Both types of locks still allow you to view the locked resources.

Although it’s not very common, you can apply both types of locks to a single resource. In this case, the more stringent read-only lock takes precedence.

To delete a locked resource, you must first remove the lock and then delete the resource. Even administrators cannot delete a resource without first removing the lock.

Scope of Lock Application

Locks can be applied to subscriptions, resource groups, and individual resources. They cannot be applied to management groups.

For more details on the Azure resource hierarchy structure, see this article.

【AZ-900】Azure Management Infrastructure: Understanding Subscription, Resource Group, Resource and Management GroupHi, I'm Makoto, a freelance engineer. In this article, I'll expla...

When you apply a lock to a parent scope, all resources within that scope inherit the same lock. In this case, the more stringent read-only lock takes precedence.

Let me show you examples using the Azure Portal screens.
In the Subscription, Resource Group, and Resource menus, you can find the Locks menu, where you can add, edit, or delete locks.

This screen example shows adding a “Read-only Lock” to a resource group. The registered lock appears in the list and can be edited or deleted later.

Next, if we check the locks on a virtual machine within the resource group, we can see that the lock set on the resource group is inherited, and editing or deleting it is not allowed.

I have added a delete lock to the virtual machine. In this case, the more stringent read-only lock takes precedence.

When we try to resize the virtual machine, we get an error saying “Please remove the lock and try again”. By the way, you can’t stop, restart, or start the virtual machine in a read-only state. (These actions are possible with a delete lock).

Things to Know About Resource Locks

As mentioned in the “Considerations before applying your locks” section of the official documentation, applying locks can lead to unexpected results. Here are some important points to consider.

We’ve seen an example where you can’t stop/start a virtual machine, but be especially careful with read-only locks because they prevent any modification operations.

Auto-Scale Stops Working

If you set a read-only lock on a virtual machine scale set or App Service, you will not be able to create or delete new instances, and as a result, auto-scaling will not work.

Data Stored in Azure Resources Is Not Locked

Locking a storage account or SQL Database does not protect the data stored in it.

For example, even if you apply a delete lock to a storage account, you can still delete blobs within it.

Data protection should be handled using service features like versioning or backups.

Azure Advisor May Not Function Properly

If you set a read-only lock on a subscription, Azure Advisor will not work correctly.

However, all resources under the subscription will become unchangeable, and you will not be able to create new resources, so I don’t think you will make a mistake.

Azure May Automatically Apply Locks

This is more of a “good to know” point than a consideration, but some resources may be automatically locked by Azure.

For example, when you purchase a domain using the App Service Domains service in Azure, a “DNS zone” is automatically created because the domain is managed by Azure DNS.

To manage these domains, it is important not to accidentally delete the App Service Domains and DNS Zone, so Azure will automatically register a delete lock.

Summary

In this article, we introduced the lock feature that prevents Azure resources from being deleted and showed examples using Azure Portal screens.

The key points likely to be tested on the AZ-900 exam are:

Also, while probably not tested on the exam, make sure you understand the important considerations when using locks in practice.

See you next time!

View Azure Courses

In this article, I’ll explain Azure Policy. As the word “policy” suggests, it’s an important service for properly operating Azure resources by defining rules.

I’ll introduce the actual configuration screen in a hands-on format. I think it’s easier to visualize when you learn while looking at the screen, so please read to the end.

Let’s get started!

What is Azure Policy?

Azure Policy is a mechanism for keeping Azure resources in compliance with your organization’s rules. It has the following two roles:

• Enforce the creation of resources according to the rules
• Notify when there are resources that violate rules

For example, you can “allow resource creation only in Japanese regions” or “limit virtual machine creation to certain sizes”.

By applying Azure policies, you can maintain a state where the system is operating in the way your organization wants it to.

How Azure Policy Works

Azure Policy introduces three main terms:

• Policy definition
• Initiative definition
• Assignments

Each rule is called a policy definition, and a collection of multiple policy definitions is called an initiative definition.

The difference between policy definitions and initiative definitions is a point often asked on the AZ-900 exam. Think of it as single vs. set.

Policy definitions and initiative definitions can be assigned to scopes such as Management Groups, Subscriptions, and Resource Groups.

Policies assigned to parent scopes are inherited by child scopes.

For a detailed explanation of the Azure resource hierarchy, see this article.

【AZ-900】Azure Management Infrastructure: Understanding Subscription, Resource Group, Resource and Management GroupHi, I'm Makoto, a freelance engineer. In this article, I'll expla...

Here’s a diagram illustrating how Azure Policy works:

Azure Portal Configuration

In the Azure Portal, it appears as a “Policy” service. When you open Definitions in Policy, you see a list of built-in definitions that are pre-populated.

Here, we’ll select the “Allowed locations” policy definition to restrict resource regions.

When you open a policy definition, you’ll see that it’s actually a rule written in JSON format. Azure Policy Samples are published on GitHub, which can be helpful when creating your own custom definitions.

Press “Assign policy” to continue.

In the Basics tab, select the Scope. Here we’ll select the subscription and continue.

Next is the Parameters tab. Select Japan East and Japan West as the allowed regions. The other tabs are not mandatory, so we’ll create it with these settings.

You can review assigned definitions in the Assignments menu.

When I tried to create a virtual machine in a region other than Japan, I received a policy violation message. This indicates that the Azure policy is working correctly.

Reference:

By the way, if you limit virtual machine sizes, sizes that are not allowed will be grayed out and unselectable.

You can check compliance with Azure policy rules from the Overview or Compliance menus.

If we open the “Allowed locations” policy definition that we just assigned, we can see that resources located in regions outside of Japan are displayed as “Non-compliant”.

Things to Know About Azure Policy

Here are some questions that may be asked on the AZ-900 exam.

If you apply Azure policies when there are existing resources that are prohibited from being created in the future, those existing resources will not be automatically deleted or modified.

As shown in the previous screen, it only displays whether there are any violations.

However, some policy definitions support the ability to “remediate” non-compliant resources. However, it’s unlikely that this level of detail will be required.

That means it’s best to set up Azure policies at the beginning, when you first start using Azure, after you’ve confirmed your organization’s rules.

Summary

In this article, we introduced Azure Policy along with actual configuration screens.

Azure Policy has a mechanism to enforce the creation of resources according to rules, and to warn about resources that violate rules as non-compliant resources.

Make sure you understand the mechanism well, as it is a representative service for achieving proper governance for your organization.

View Azure Courses