AZ-900 Objective 2.2: Describe Azure Compute and Networking Services

Understanding Azure Compute and Networking

Azure compute and networking services provide the fundamental building blocks for deploying and connecting applications and workloads in the cloud. Compute services offer various options for running applications, from traditional virtual machines to modern serverless functions, while networking services enable secure and reliable connectivity between resources, users, and external systems. Understanding these services and their capabilities is crucial for designing effective Azure solutions that meet specific business and technical requirements.

The choice of compute and networking services significantly impacts application performance, scalability, security, and cost. Different compute options provide varying levels of control, management overhead, and scalability, while networking services enable secure communication and connectivity options that range from simple internet access to dedicated private connections. This comprehensive understanding enables informed decision-making when designing Azure architectures and selecting appropriate services for specific use cases.

Comparing Compute Types

Containers

Containers are lightweight, portable units that package applications and their dependencies into a single deployable unit, providing consistent environments across development, testing, and production. Azure offers several container services including Azure Container Instances (ACI) for simple container deployment, Azure Kubernetes Service (AKS) for orchestrated container management, and Azure Container Apps for serverless container hosting. Containers provide excellent portability, rapid deployment, and efficient resource utilization compared to traditional virtual machines.

Container services in Azure enable developers to build, deploy, and manage containerized applications without managing the underlying infrastructure. These services provide automatic scaling, load balancing, and health monitoring capabilities that simplify container management and ensure high availability. Containers are particularly well-suited for microservices architectures, modern application development, and scenarios requiring rapid deployment and scaling of applications.

Virtual Machines

Virtual machines (VMs) provide complete control over the operating system and application environment, making them ideal for legacy applications, custom configurations, and scenarios requiring specific software or hardware configurations. Azure Virtual Machines offer a wide range of sizes and configurations, from small development VMs to large-scale high-performance computing instances. VMs provide the highest level of control and flexibility among Azure compute options, enabling customers to run any operating system and install any software.

Azure VMs support both Windows and Linux operating systems and can be configured with various amounts of CPU, memory, and storage based on specific requirements. VMs are managed by customers who are responsible for operating system updates, security patches, and application management, while Azure handles the underlying infrastructure including hardware, networking, and data center operations. This model provides maximum flexibility but requires more management overhead compared to other compute options.

Functions (Serverless)

Azure Functions provide serverless compute capabilities that automatically scale based on demand and charge only for the actual execution time of code. Functions are event-driven and can be triggered by various sources including HTTP requests, database changes, file uploads, or scheduled timers. This serverless model eliminates the need to manage infrastructure and provides automatic scaling, making it ideal for event-driven applications, APIs, and microservices that have variable or unpredictable workloads.

Azure Functions support multiple programming languages including C#, JavaScript, Python, and PowerShell, enabling developers to use their preferred languages and frameworks. Functions automatically handle scaling, load balancing, and infrastructure management, allowing developers to focus on business logic rather than infrastructure concerns. This serverless approach provides excellent cost optimization for applications with sporadic usage patterns and enables rapid development and deployment of event-driven solutions.

Compute Type Comparison

Virtual Machine Options

Azure Virtual Machines

Azure Virtual Machines provide on-demand, scalable computing resources that can be created and configured to meet specific application requirements. VMs offer complete control over the operating system and application environment, making them suitable for a wide range of workloads including web applications, databases, development environments, and legacy applications. Azure VMs support both Windows and Linux operating systems and can be configured with various amounts of CPU, memory, and storage.

Azure VMs are available in multiple sizes and series, each optimized for different types of workloads. General-purpose VMs provide balanced CPU and memory for most applications, while compute-optimized VMs offer high CPU-to-memory ratios for compute-intensive workloads. Memory-optimized VMs provide high memory-to-CPU ratios for memory-intensive applications, and storage-optimized VMs offer high disk throughput and IOPS for data-intensive workloads. This variety enables customers to select the most appropriate VM size for their specific requirements.

Azure Virtual Machine Scale Sets

Azure Virtual Machine Scale Sets enable customers to create and manage a group of identical virtual machines that can automatically scale based on demand or a defined schedule. Scale sets provide high availability and application resiliency by distributing VMs across multiple fault domains and update domains, ensuring that applications remain available even when individual VMs fail or require updates. This automatic scaling capability helps optimize costs by scaling resources up during peak demand and down during low usage periods.

Scale sets support both manual and automatic scaling based on metrics such as CPU utilization, memory usage, or custom application metrics. They also support rolling updates that enable applications to be updated without downtime by updating VMs in batches. Scale sets integrate with Azure Load Balancer and Application Gateway to distribute traffic across multiple VMs, providing high availability and improved performance for applications that require multiple instances.

Availability Sets

Azure Availability Sets ensure that virtual machines are distributed across multiple physical servers, storage systems, and network switches to provide high availability and fault tolerance. Availability Sets protect against hardware failures by ensuring that VMs are not all running on the same physical hardware, reducing the risk of downtime due to hardware failures. This distribution is essential for applications that require high availability and cannot tolerate single points of failure.

Availability Sets distribute VMs across fault domains, which represent different physical servers, and update domains, which represent groups of VMs that can be updated together. This distribution ensures that planned maintenance and hardware failures affect only a subset of VMs, allowing applications to continue running on healthy VMs. Availability Sets are particularly important for multi-tier applications where different tiers can be placed in different availability sets to ensure overall application availability.

Azure Virtual Desktop

Azure Virtual Desktop (AVD) provides a cloud-based virtual desktop infrastructure (VDI) solution that enables users to access Windows desktops and applications from any device, anywhere. AVD supports both Windows 10 and Windows 11 multi-session deployments, as well as Windows Server session-based desktops, providing flexibility for different use cases and user requirements. This service enables organizations to provide secure, scalable desktop access while reducing the complexity and cost of managing traditional VDI infrastructure.

AVD integrates with Microsoft 365 and Azure Active Directory to provide seamless user authentication and access control, while supporting various client devices including Windows, Mac, iOS, Android, and web browsers. The service provides built-in security features including multi-factor authentication, conditional access, and data encryption, making it suitable for organizations with strict security requirements. AVD also supports application virtualization and can deliver both full desktops and individual applications based on user needs.

Resources Required for Virtual Machines

Application Hosting Options

Web Apps

Azure App Service provides a fully managed platform for hosting web applications, APIs, and mobile backends without requiring infrastructure management. App Service supports multiple programming languages and frameworks including .NET, Java, Node.js, Python, and PHP, enabling developers to use their preferred technologies. The service provides automatic scaling, load balancing, and built-in security features that simplify application deployment and management while ensuring high availability and performance.

App Service offers several hosting plans including Free, Shared, Basic, Standard, Premium, and Isolated tiers, each providing different levels of performance, features, and scaling capabilities. The service integrates with Azure DevOps, GitHub, and other CI/CD tools to enable continuous deployment, while providing built-in monitoring, logging, and diagnostics capabilities. App Service also supports custom domains, SSL certificates, and integration with Azure Active Directory for authentication and authorization.

Container Hosting

Azure provides multiple options for hosting containerized applications, each offering different levels of management and control. Azure Container Instances (ACI) provides the simplest way to run containers without managing servers or orchestrators, making it ideal for simple applications and batch jobs. Azure Kubernetes Service (AKS) provides a managed Kubernetes service for orchestrating containerized applications at scale, while Azure Container Apps offers a serverless container platform for microservices and event-driven applications.

Container hosting options in Azure provide excellent portability, rapid deployment, and efficient resource utilization compared to traditional hosting methods. These services support both Windows and Linux containers and integrate with Azure Container Registry for storing and managing container images. Container services also provide automatic scaling, health monitoring, and load balancing capabilities that simplify container management and ensure high availability for containerized applications.

Virtual Machine Hosting

Virtual machines provide the most flexible hosting option for applications that require specific configurations, legacy software, or complete control over the environment. VMs can host any type of application including web servers, databases, custom applications, and third-party software that cannot be easily containerized or deployed to managed services. This flexibility makes VMs suitable for complex applications with specific requirements or organizations that need to maintain existing application architectures.

VM hosting requires more management overhead compared to managed services, as customers are responsible for operating system updates, security patches, and application management. However, VMs provide maximum control and flexibility, enabling customers to configure the environment exactly as needed for their applications. VMs can be combined with other Azure services such as Load Balancer, Application Gateway, and Azure Database services to create comprehensive application architectures.

Virtual Networking

Azure Virtual Networks

Azure Virtual Networks (VNets) provide the fundamental building blocks for networking in Azure, enabling secure communication between Azure resources and connectivity to on-premises networks and the internet. VNets create isolated network environments where resources can communicate securely with each other and with external networks. VNets provide IP address management, DNS resolution, and network security capabilities that are essential for building secure and scalable cloud applications.

VNets enable customers to create custom network topologies that match their organizational requirements, including multiple subnets, custom routing, and network security groups. VNets support both IPv4 and IPv6 addressing and can be connected to other VNets through peering or to on-premises networks through VPN or ExpressRoute connections. This flexibility enables customers to build complex network architectures that support hybrid cloud scenarios and multi-region deployments.

Azure Virtual Subnets

Azure Virtual Subnets are subdivisions of virtual networks that enable logical organization of resources and implementation of network security policies. Subnets provide network segmentation that helps isolate different types of resources and apply specific security rules to different parts of the network. Each subnet has its own IP address range and can be associated with network security groups and route tables to control traffic flow and security policies.

Subnets enable customers to implement network architectures that follow security best practices, such as separating web servers, application servers, and databases into different subnets with appropriate security controls. This segmentation helps limit the impact of security breaches and provides better control over network traffic. Subnets also support service endpoints that enable secure connectivity to Azure services without requiring internet access.

Virtual Network Peering

Azure Virtual Network Peering enables secure connectivity between virtual networks, allowing resources in different VNets to communicate with each other as if they were on the same network. Peering can be established between VNets in the same region (regional peering) or across different regions (global peering), enabling complex network architectures and multi-region deployments. Peered networks maintain their independence while enabling seamless communication between resources.

VNet peering provides several benefits including low-latency connectivity, reduced bandwidth costs, and simplified network management compared to using VPN gateways for connectivity. Peering supports transitive routing, enabling resources in peered networks to communicate with each other through intermediate networks. This capability enables customers to build hub-and-spoke network topologies and other complex network architectures that support centralized services and distributed applications.

Azure DNS

Azure DNS is a hosting service for DNS domains that provides fast DNS resolution and high availability for domain names. Azure DNS supports both public and private DNS zones, enabling customers to manage DNS records for internet-facing services and internal applications. The service provides automatic scaling, global distribution, and integration with other Azure services to ensure reliable DNS resolution for applications and services.

Azure DNS offers several advantages including fast DNS resolution through Microsoft's global network of DNS servers, high availability with automatic failover, and integration with Azure Resource Manager for consistent management. The service supports all standard DNS record types and provides features such as alias records that enable automatic updates when Azure resource IP addresses change. Azure DNS also supports private DNS zones for internal name resolution within virtual networks.

Azure VPN Gateway

Azure VPN Gateway provides secure connectivity between Azure virtual networks and on-premises networks over the internet using industry-standard VPN protocols. VPN Gateway supports both site-to-site VPN connections for connecting entire networks and point-to-site VPN connections for individual devices. The service provides encrypted connectivity that enables secure communication between Azure resources and on-premises systems while maintaining data privacy and integrity.

VPN Gateway offers several SKUs with different performance characteristics and features, enabling customers to select the appropriate gateway for their bandwidth and availability requirements. The service supports both policy-based and route-based VPN configurations and integrates with Azure Active Directory for authentication. VPN Gateway also supports active-active configurations for high availability and can be combined with ExpressRoute for hybrid connectivity scenarios.

Azure ExpressRoute

Azure ExpressRoute provides dedicated private connectivity between Azure data centers and on-premises infrastructure through a connectivity provider, bypassing the public internet. ExpressRoute offers higher security, lower latency, and more reliable connectivity compared to internet-based connections, making it ideal for applications that require consistent performance and enhanced security. The service supports multiple connectivity models including cloud exchange colocation, point-to-point ethernet, and any-to-any networks.

ExpressRoute provides several benefits including dedicated bandwidth, improved security through private connections, and lower latency compared to internet-based connectivity. The service supports multiple bandwidth options and can be configured for high availability with redundant connections. ExpressRoute also enables customers to access Azure services from on-premises networks without requiring internet connectivity, providing enhanced security and compliance capabilities for sensitive workloads.

Public and Private Endpoints

Public Endpoints

Public endpoints provide internet-accessible connectivity to Azure services and resources, enabling external users and applications to access services over the public internet. Public endpoints use public IP addresses and are accessible from anywhere on the internet, making them suitable for web applications, APIs, and services that need to be accessible to external users. However, public endpoints require careful security configuration to prevent unauthorized access and protect against potential security threats.

Public endpoints are commonly used for web applications, public APIs, and services that need to be accessible to customers, partners, or the general public. These endpoints require proper security measures including network security groups, web application firewalls, and authentication mechanisms to ensure secure access. Public endpoints also require consideration of data privacy and compliance requirements, as they expose services to potential security risks and regulatory scrutiny.

Private Endpoints

Private endpoints provide secure, private connectivity to Azure services from within a virtual network, ensuring that traffic between the virtual network and the service stays on the Microsoft backbone network. Private endpoints use private IP addresses from the virtual network and are not accessible from the internet, providing enhanced security and compliance capabilities. This private connectivity helps protect sensitive data and applications from internet-based threats while maintaining the benefits of cloud services.

Private endpoints are particularly valuable for services that handle sensitive data or have strict security requirements, such as databases, storage accounts, and internal APIs. They enable customers to access Azure services without exposing traffic to the public internet, reducing the attack surface and improving security posture. Private endpoints also help meet compliance requirements for data residency and network isolation, making them essential for regulated industries and sensitive workloads.

Endpoint Security Considerations

Real-World Implementation Scenarios

Scenario 1: E-commerce Web Application

Scenario 2: Microservices Architecture

Scenario 3: Hybrid Cloud Connectivity

Scenario 4: Serverless API Platform

Best Practices for Compute and Networking

Design and Architecture

• Choose appropriate compute options: Select compute services based on application requirements, management preferences, and cost considerations
• Design for high availability: Use availability sets, availability zones, and load balancing to ensure application resilience
• Implement network segmentation: Use subnets and network security groups to isolate and secure different application tiers
• Plan for scalability: Design architectures that can scale automatically based on demand and business growth
• Consider security from the start: Implement security controls and best practices throughout the architecture design

Implementation and Management

• Use managed services when possible: Leverage Azure managed services to reduce management overhead and improve reliability
• Implement monitoring and logging: Set up comprehensive monitoring and logging for all compute and networking resources
• Regular security reviews: Conduct regular security assessments and updates to maintain security posture
• Cost optimization: Monitor and optimize costs through right-sizing, reserved instances, and efficient resource utilization
• Documentation and governance: Maintain comprehensive documentation and implement governance policies for resource management

Exam Preparation Tips

Key Concepts to Remember

• Compute service characteristics: Understand the differences between containers, VMs, and functions in terms of control, management, and use cases
• VM options and requirements: Know the different VM options and the resources required to deploy and manage VMs
• Networking components: Understand virtual networks, subnets, peering, DNS, VPN Gateway, and ExpressRoute capabilities
• Endpoint types: Know the differences between public and private endpoints and their security implications
• Application hosting options: Understand when to use web apps, containers, or VMs for different application scenarios

Practice Questions

Practice Lab: Exploring Azure Compute and Networking

Lab Setup and Prerequisites

For this lab, you'll need a free Azure account (which provides $200 in credits for new users) and a web browser. No prior Azure experience is required, as we'll focus on understanding compute and networking concepts rather than complex configurations. The lab is designed to be completed in approximately 2-3 hours and provides hands-on experience with the key services covered in the AZ-900 exam.

Lab Activities

Lab Outcomes and Learning Objectives

Upon completing this lab, you should be able to explain the differences between Azure compute options, understand how virtual networking works, and identify when to use public vs. private endpoints. You'll have hands-on experience with VM deployment, container services, virtual network configuration, and network security. This practical experience will help you understand the real-world applications of Azure compute and networking services covered in the AZ-900 exam.

Cleanup and Cost Management

After completing the lab activities, be sure to delete all created resources to avoid unexpected charges. The lab is designed to use minimal resources, but proper cleanup is essential when working with cloud services. Use Azure Cost Management tools to monitor spending and ensure you stay within your free tier limits.